April 26, 2018 by Matthew D. Dunn, H. Thomas Davis, Jr. and Brielle E. Kilmartin
The European Union’s (EU) new comprehensive regime for data protection, the General Data Protection Regulation (GDPR), becomes effective on May 25, 2018 and will have a global reach beyond just the EU. It applies to all companies throughout the world which do business with EU consumers or directly or indirectly possess, collect, or otherwise process personal data of EU citizens. In other words, the GDPR applies to many US organizations, including small internet companies, global manufacturers, consumer product companies, professional firms, non-profits, and even public sector organizations. Many US organizations may not realize the scope and applicability of this Regulation and the severe penalties for non-compliance, and are generally unprepared to comply with the GDPR obligations relating to the handling of EU data which go into effect next month. This advisory summarizes the GDPR and its applicability and key requirements, and provides some practical considerations.
What is the GDPR, and Does It Apply to Your Organization?
The EU has been at the forefront of data protection and privacy since 1995 when it issued Directive 95/46/EC (known as the “Data Protection Directive”), which regulated the processing of EU personal data and restricted the transfer of personal data from the EU to only those nations deemed to have adequate data privacy protections (the US did not qualify). The last twenty years have seen a dramatic increase in the use of the internet, digital commerce, global data connectivity, social media, and cloud computing—which has led the EU to expand its data protection framework while ensuring strong enforcement mechanisms.
The GDPR replaces the Data Protection Directive, provides higher levels of protection for personal data, and imposes severe penalties for noncompliance. The new Regulation applies to every business in the world that uses, possesses, or otherwise processes personal data of EU citizens, and provides data subjects (whether employees, customers or suppliers) with rights enforceable against any business or organization that stores or otherwise processes their personal data. The GDPR applies to all entities that (i) are established in the EU; (ii) offer goods or services to EU-based individuals (free of charge or for payment), or (iii) monitor the behavior of EU residents (for marketing, tracking, or targeting purposes). Art. 3. If your organization handles, transports, stores, or otherwise processes personal data of any person in the EU, the GDPR will apply (even if your business is not physically located anywhere in the EU). It applies to “controllers” of data (which make decisions on the processing of data) as well as the “processors” (entities/vendors that merely process data for controllers). Data controllers must ensure compliance by third party processors that they entrust with their data, however, vendors and third party processors are also independently subject to the GDPR.
“Personal data” is broadly defined by the GDPR to mean any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This includes name, identification numbers, location data, online identifiers (such as IP and email addresses and cookie identifiers), banking information, genetic identity factors, and other personal data such as physical addresses, birth dates, etc. Art. 4. And information deemed “sensitive personal data” (such as genetics, biometrics, race, ethnicity, political beliefs, religious identification and sexual orientation information) is subject to even more stringent protections. Art. 9.
This means that the GDPR applies to many U.S. organizations—large and small, micro and multinational, for-profit and non-profit, even governmental entities at federal and local levels. It of course will apply to the Facebooks and Microsofts of the world, but will also apply to the small manufacturers which sell goods to EU citizens, professional services firms with EU clients, web-based services providers which have EU subscribers, financial services companies with staff located in the EU, travel and hospitality companies, and non-profits with EU donor lists. The GDPR will also apply to organizations that maintain websites and gather identifying information about visitors (using cookies or otherwise). And these are just a few examples.
Data controllers must minimize data collection and processing to only what is necessary, must ensure appropriate security of data, and must keep accurate records of all processing of applicable data and provide such records upon the request of the applicable EU state’s supervisory authority. Art. 5 & 30.
Lawful processing of data requires that organizations obtain consent of the data subject (EU citizen) or have another authorized legal basis for processing. Art. 6. For consent of a data subject to be valid, it must be “freely given” and the request for consent must be provided in “clear and plain language” in an “intelligible and easily accessible form.” Art. 6 & 7. This cannot be accomplished by implied consent or by simply providing an opt-out option, and the consent must cover all intended uses of the data. Seeking consent may be burdensome and, if data subjects do not provide consent, may considerably reduce the amount of personal data that can be lawfully processed. The GDPR permits processing of personal data without obtaining consent if another specified lawful basis exists—such as to perform under a contract with the data subject, comply with a legal obligation, for tasks carried out it in the public interest, or for other legitimate interests. Art. 6.
Data subjects have the right to object to and withdraw consent to the use of their personal data at any time and it “shall be as easy to withdraw consent as to give it.” Art. 7 & 21. Data subjects must be provided the right to access, obtain (in portable form), and correct any data held about them. Art. 15, 16 & 20. Controllers must respond to any request within a month. Art. 12. Data subjects must also have the right, with some exceptions, to have their data deleted or erased (the so-called “right to be forgotten”). Art. 17. Organizations must store data in a form that is easily searched and accessed in order to comply with requests from data subjects, as well as requests from regulators.
Data controllers must disclose to data subjects (EU citizens) what data they collect, how it is stored, and the purposes for which it is used, as well as the data subject’s right to request access to the data, to withdraw consent, and to lodge a complaint with a EU state’s supervisory authority (as discussed below). This notice must be provided in “concise, transparent, intelligible and easily accessible form” and any changes to the use of data must be communicated on an ongoing basis. Art. 12-14. Thus, organizations will not be permitted to bury vague language about potential uses in terms and conditions on a website or in the fine print of invoices or agreements.
For organizations whose data processing activities are large scale and a core part of their activities (or if the processing is carried out by a public authority), the GDPR requires the appointment of a Data Protection Officer (DPO). Art. 37. The DPO can be somebody within or outside an organization but must have expert knowledge of data protection law and practices, must report to the highest level of management, and must operate independently in order to avoid conflicts of interest. The DPO is responsible for monitoring compliance with the GDPR and acting as the contact point for the member state’s supervising authority. Art. 37-39. It is a position separate from the Chief Information Security Officer (CISO).
Data controllers will not be able to contract away data protection responsibilities, and must include specific language in contracts with subcontractors that provide data processing services in order to ensure that the subcontractors comply with the GDPR. Art. 24 & 28.
Transfers of data to non-EU nations (within the same organization or to a third party) are permitted if such nations are deemed to have an adequate level of protection or an acceptable framework exists (such as the EU-US Privacy Shield), and the transfer otherwise complies with the GDPR. Art. 45. For transfers of data to the US, the EU-US Privacy Shield mechanism will continue to be effective (subject to annual review) provided that there is compliance with other aspects of the GDPR.
Each EU member state must appoint a Data Protection Authority (DPA), at a national level through national legislation, which is responsible for monitoring and enforcing the GDPR. Non-EU entities that offer goods or services in the EU or monitor EU residents (unless the processing is only occasional, small-scale and does not involve sensitive personal data) must appoint a representative in the EU, as a point of contact for EU data subjects and DPAs. Recital 80, Art. 27.
Data controllers are required to report any breach incident (where personal data has been lost, stolen, or otherwise accessed by unauthorized third parties) to the applicable member state’s DPA within 72 hours of becoming aware of the data breach, unless deemed “unlikely to result in a risk to the rights and freedoms of natural persons.” Art. 33. If there is a “high risk of [the breach] adversely affecting individual rights and freedoms” such incidents must be reported to the data subjects “without undue delay”—which may be even sooner than 72 hours after the controller learns of the breach. Art. 34, Recital 86.
Enforcement: Harsh Penalties
Each member state DPA’s jurisdiction and enforcement powers are generally limited to the territory of its own state, and organizations may be subject to the jurisdiction of several DPAs (for each state whose citizens’ data they possess/process). Unlike the Data Protection Directive, however, legislative implementation by each member state is not required. Each DPA has the power to investigate, order compliance, and issue fines for violations (Art. 58), and data subjects may assert claims for damages suffered as a result of GDPR violations.
The GDPR has a severe penalty regime. While the EU has long had privacy and data protection rules and directives, it now has a strong mechanism for enforcement. Financial fines will depend on factors such as the nature of the violation, the intentional or negligent conduct involved, and steps taken to mitigate damage. For the most serious violations, organizations can face fines up to the higher of EUR 20 million or 4% of total worldwide turnover (gross revenues) in the preceding financial year, and for less severe violations, up to the higher of EUR 10 million or 2% of total worldwide turnover. Art. 83. For many large global companies with revenues in the billions, the fines could be massive. This is a very serious change, as member states currently have much smaller fines for violations of data protection rules (e.g., the UK has a maximum fine of £ 500,000).
Time will tell how aggressively the GDPR is enforced. For non-EU organizations with assets or a physical presence in the EU, the GDPR can be enforced directly by EU member states. If an organization has a GDPR representative in the EU, such representative may be named in any enforcement action and may be liable for the entities’ GDPR violations. Art. 27, Recital 80. However, in practice, it will not be easy to enforce against organizations with no assets or presence in the EU. For example, unless the US enters into some type of cooperation agreement the only way to enforce the GDPR against a US company is to seek liability through the courts of the EU member state, obtain a judgment, and then seek to enforce the judgment in US courts.
You should conduct an applicability and impact assessment to evaluate whether your organization is subject to the GDPR. This will necessarily involve assessing and identifying all types of EU personal data that is stored or processed, the exact locations of such data, the ways in which such data is used or processed, any third parties to which data is transferred or shared, and the business units involved in the storage and processing of such data.
Once you have compiled this data, consult an attorney who can advise you on an appropriate compliance strategy. This may involve interpretation and assessment of the GDPR’s lawful bases for processing personal data and consideration of whether consent of the data subjects is required. It may also require a formal data protection impact assessment if the intended processing is likely to result in a high risk to the rights and freedoms of data subjects. Art. 35.
Depending on the type and amount of personal data your organization stores and/or processes, your attorney may advise you to do one or more of the following: 1) assemble a cross-functional team to formulate a compliance strategy, which team may consist of legal counsel, compliance personnel, leaders of the relevant business units, IT personnel, the CISO and the Chief Privacy Officer or similar person; 2) make changes to IT or website infrastructure to secure consent from data subjects and increase transparency, 3) make changes to systems and databases that store personal data and evaluate recordkeeping methods; 4) revise or create both external and internal privacy or data protection policies which provide necessary disclosures to data subjects and incorporate applicable GDPR requirements; and 5) conduct audits of readiness and compliance, and educate relevant personnel.
If you have not done so already, you should consider the implications of the GDPR on your organization and take steps to ensure compliance in advance of May 25th. Given the very significant penalties for noncompliance, it is important that organizations be proactive in order to minimize risks and costs.
While proper preparation and compliance may involve significant effort and resources, the GDPR framework will improve organizational data protection and security and increase data processing efficiency, and the better transparency may increase consumer trust and improve relations with customers and employees. While the US does not currently have a federal data protection regulatory regime, the recent Congressional testimony by Facebook CEO Mark Zuckerberg demonstrated that many lawmakers favor increased regulation of personal data uses, and, if the US follows suit, GDPR-compliant organizations will be ahead of the curve.
For more information concerning GDPR compliance or related matters, please contact the authors Matthew Dunn (212-238-8706, email@example.com), Tom Davis (212-238-8850, firstname.lastname@example.org), or Brielle Kilmartin (212-238-8652, email@example.com), another member of CL&M’s Cybersecurity Practice Group, or your regular CL&M attorney.
 The text of the full regulation is available at http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf.
 The 1995 Data Protection Directive created a serious dilemma for US businesses that were transferring data from the EU to the US (as part of its operations or in litigation discovery contexts). The current solution to this issue is the EU-US Privacy Shield framework, which was negotiated by the US government and allows US businesses to transfer data if they self-certify to their data protection security measures and if certain other safeguards exist or other requirements are met.
 For sensitive personal data (as defined above), unless certain other legal bases exist, organizations must obtain the “explicit consent” of the individual to the processing for specific purposes. Art. 9.
 For a US entity, the applicable member state DPA (for breach reporting purposes) may be where the entity has its main EU presence or an EU GDPR representative, or if no presence or EU representative, may be all DPAs in the member states where the affected data subjects are citizens.
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2020 Carter Ledyard & Milburn LLP.
© Copyright 2018