A Checklist for U.S. Based Companies
The new General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. If your U.S. business has an interest in the EU, or if you process data of citizens who reside within the EU, you will need to review your business processes, data flows, security practices, and train your people to comply with the GDPR. If you haven’t started already, don't panic, but start planning a compliance strategy now. Smaller businesses or those handling smaller amounts of Personal Data may be caught off-guard.
Intended to protect EU citizens from privacy and data breaches, and harmonize privacy laws in the EU, the GDPR will apply globally and require significant changes to privacy practices of U.S. companies. The three most significant changes, from the previous EU Privacy Directive, are that the GDPR will: (1) apply globally to protect Personal Data (defined in Part A.2. below) of individuals located in the EU, even if the data is collected for (or processed by) a company outside of the EU; (2) impose steeply increased fines; and (3) strengthen consent requirements such that confusing terms and ambiguous conditions will no longer protect the Data Controller or Data Processor. Almost any website that uses tracking cookies or a mobile app that retrieves relocation or usage information will be subject to the GDPR. In effect, the GDPR regulation is designed to pull in and impact the processes of U.S. technology companies.
This is the biggest change to privacy and data protections in 20 years. There is still uncertainty about how the GDPR will be enforced and the regulation has much unclear language that will be subject to interpretation. For example, an organization must appoint a data protection officer if its core activities consist of monitoring individuals and is “large scale." A company must implement a Privacy Impact Assessment (PIA) if it uses “systematic and extensive evaluation” of individuals. It’s currently unclear what these terms mean. GDPR Supervisory Authorities will need to provide further definitions about the terminology and clear guidance, specifically regarding the right to data portability, the concept of “high risk” “large scale” processing activities, the role of the data protection officer, and how and when Privacy Impact Assessments are to be implemented.
This article provides an introduction to the impact of the GDPR on U.S. based companies. First, it provides a brief overview of the GDPR and key concepts. Then, it delves more deeply into compliance, including the nature of consent to use Personal Data, transfers of data, security, and data breaches. Finally, it provides a checklist as a starting place for practical actions you can take now.
KEY THINGS TO KNOW ABOUT THE GDPR
Important implications to U.S. based companies are that the GDPR:
Applies Beyond the EU. The Regulation applies primarily to businesses established in the EU. Yet, even if your company is outside the EU, but is in a chain of providers that relate back to the EU, or just touches EU Personal Data, you need to comply. Expressly, the GDPR applies to businesses outside the EU that (a) offer goods and services to individuals in the EU (paid or unpaid); or (b) monitor the behavior of individuals in the EU. Although intended to address the tracking of individuals for purposes of profiling, it’s unclear what constitutes “monitoring.”
Applies to Personal Data of Individuals Residing in the EU. “Personal Data” is defined more broadly than under any privacy laws of the U.S. and of most other countries. “Personal Data” means any information relating to a natural person that can be used to directly or indirectly identify the person. Identifiers include names, ID numbers, vehicle ID numbers, location data, online identifiers (such as log-in codes, cookie identifiers, and IP addresses), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person. Personal Data includes information about employment, personal details (including genetic and biometric data), family and lifestyle details, contracts for goods and services, education and training, medical, and financial information.
Places Greater Burdens on Data Processors. There is a significant change from the 1995 EU Directive, which placed the burden of compliance on Data Controllers (those collecting, and determining the purposes and means of processing Personal Data). The GDPR creates direct obligations and liability for Data Processors (those who are generally contractors and transmit, analyze, or process data for Controllers) where ever located. In other words, the GDPR balances obligations between companies requesting services (Controllers) and companies offering services (Processors). Data Processors, as well as Data Controllers, will be subject to GDPR fines. So, cloud companies are not exempt.
Requires Data Protection by Design and Default (Privacy-by-Design). Privacy practices must be built into each new development or business relationship from the outset. For example, a Data Controller will have to implement appropriate technical and organizational measures in its systems design and its contracts, rather than create add-ons later. Appropriate privacy practices include the establishment of internal data protection policies. Pseudonymization may be used, (which means the processing of Personal Data so that it no longer identifies a Data Subject without additional information), or Data Minimization, (which means that Data Controllers limit the access to Personal Data to those needing it to perform the processing).
Increases Notice & Consent Requirements. The conditions are more specific under which an individual whose Personal Data is being processed (the Data Subject) is deemed to give their consent to the collection and processing of his/her Personal Data. Lengthy or hidden terms and conditions will not comply. Consent must be clear, distinguishable from other matters, and provided in an intelligible and easily accessible form, using clear and plain language. Consent must be “freely given, specific, informed, and unambiguous.” Acceptable form of obtaining consent include, ticking a box on a website, choosing technical settings for an online services, any other conduct which clearly indicated consent in the context.
Shortens the Time for Notification of Data Breach. Notice must be given within 72 hours of a data breach to authorities and affected customers. Incidence response teams will need clear procedures and messages prepared in advance – and even then it may be very challenging for some companies to comply within the 72 hour window.
Substantially Increases Penalties. Penalties under the GDPR are steep – up to 4% of annual worldwide turnover (gross income) or €20,000,000, whichever is greater. Supervisory Authorities, which are regulators in each Member State, can audit, issue warnings, and issue a ban on processing. Violators are also subject to direct suit by Data Subjects.
May Require a Data Protection Officer. A Data Protection Officer (DPO) must be appointed in the case of (a) public authorities; (b) organizations that engage in "large scale" systematic monitoring; or (c) organizations that engage in large scale processing of special categories of data, such as that relating to criminal convictions and offenses. If you engage in "regular, systematic" collection or storage of sensitive Personal Data you may be required to appoint a DPO. This provision of the GDPR will likely be subject to further interpretation. The DPO may have a background in privacy, law, security, marketing, or customer support. The DPO will need access to your company’s security controls, identity and access management, and will have an impact on purchasing, and use of CRM and analytics. These businesses will need to appoint a representative in the EU, subject to certain limited exemptions. The representative may have to accept liability for breaches of the GDPR.
May Require a Privacy Impact Assessment (PIA). If a Data Controller's processing of Personal Data is “high risk,” it will need a Privacy Impact Assessment (described below in "Key Obligations of Data Controllers."). The Supervisory Authority of a Member State is required to create a list of processing operations that require a PIA.
Expands the Rights of Data Subjects. The individual whose Personal Data is processed, the Data Subject, may withdraw their consent to the processing of the Personal Data at any time. Data Controllers must provide the Data Subject with access to their Personal Data, provide them a copy in printed or electronic form, if requested by electronic means (Data Portability). The Data Subject has the right to have incorrect Data rectified, to restrict the processing of their Data, and to have Personal Data erased (the Right to be Forgotten).
Do you Process "Personal Data"? The GDPR applies to “Personal Data” of individuals residing in the EU. "Personal Data" means any information relating to a natural person that can be used to directly or indirectly identify the person. It may consist of anything from a name, a photo, email address, bank details, posts on social networking sites, or IP addresses. What constitutes Personal Data in the EU is more broad than the definitions of privacy-protected information in the U.S., and has been expanded to include genetic and biometric data. Information such as log-in information, IP addresses, and vehicle identification numbers, although not enabling direct identification of individuals, allow for identification of individuals indirectly and are therefore considered to be Personal Data. In addition, certain information is classified as “Sensitive Personal Data,” if it relates to racial or ethnic origin, political opinions, union membership, religious beliefs, genetic data, biometric data, health, sexual orientation, or criminal convictions, and requires tighter controls. Legitimate purposes for the processing of Sensitive Personal Data are more limited, or require explicit consent by the Data Subject.
Does The GDPR Apply To You? The GDPR applies directly to EU Member States and significantly expands its reach beyond to any jurisdiction where the data processing takes place. Specifically, the GCPR applies to three categories of entities:
First, a Controller or Processor that maintains an “establishment” in the EU will be subject to the GDPR if it processes Personal Data “in the context of” that EU establishment, regardless of whether the processing actually takes place in the EU. While the term “establishment” is not defined, the GDPR explains that “effective and real exercise of activity through stable arrangements” will satisfy the provision. Additionally, “[t]he legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” In other words, the regulation may apply even if an organization’s nexus to the EU is less formal than a parent-subsidiary relationship.
Second, a Controller or Processor not established in the EU will be subject to the GDPR “where the processing activities are related to offering goods or services to data subjects in the EU,” even when the goods and services are offered for free. Determining whether an entity offers goods or services (in at least one Member State) that trigger the GDPR’s requirements, depends on multiple factors. Such factors include, for example, the use in marketing of a language or a currency generally used in one or more Member States, with the possibility of ordering goods and services in that language, the mentioning of customers or users who are in the EU, the use of a top level domain name of a Member State, or the use of advertising targeted at individuals in a Member State.
Third, a Controller or Processor not established in the EU will be subject to the GDPR if it processes the Personal Data of Data Subjects in the EU and that processing is related to the “monitoring” in the EU of the “behavior” of Data Subjects as their behavior takes place within the EU. One example of "monitoring" is when “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to make decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.” Physical monitoring may also be included, such as by video camera recording.
Are you a Data Controller or Data Processor? Data Controllers and Data Processors are subject to different requirements under the GDPR. But the requirements of each are more similar under the DGPR than under the old Directive. A Data Controller, acting alone or together with others, “determines the purposes and means of the processing of personal data.” A Data Processor, on the other hand, “processes personal data on behalf of the controller.” "Processing" is broadly defined as meaning any operation or set of operations which is performed on Personal Data or on sets of Personal Data.
In practice, this means that most services touching Personal Data will be considered to be involved in "processing" Personal Data and, therefore, will have obligations under the GDPR. Even though a Controller may appear to delegate most or all of its responsibilities to a Data Processor under a contract, Controllers remain liable under the GDPR.
Key Obligations of Data Controllers. A Data Controller must ensure that it complies with all six of the following General Principles, which require that Personal Data processing is: (1) lawful, fair, and transparent; (2) used for a limited, explicit, legitimate purpose; (3) limited to what is necessary in relation to the purposes; (4) accurate and up-to-date; (5) in identifiable format for no longer than necessary; and (6) secure. The Data Controller must have a legal justification for processing the Personal Data or it must obtain express consent. Legal justifications include processing necessary: (1) for the performance of, or entry into a contract with a particular Data Subject; (2) for compliance with a legal obligation to which the Controller is subject under EU or Member State law; (3) to protect the “vital interests” of the Data Subject or of another natural person; (4) for the performance of a task in the public interest or in the exercise of official authority vested in the Controller; or (5) for the purposes of legitimate interests pursued by the Controller or third party, “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”
When the Data Controller cannot rely on any of the five legal exceptions set forth above, it will need to obtain the Data Subject’s express consent. To be valid, consent must be freely given, specific, informed, and unambiguous. Controllers intending to rely on consent will need to make sure that they implement a mechanism that collects and monitors consent (e.g., a clear banner or a box to be ticked specifically consenting to the specific purposes for processing). If data are processed for purposes other than the purpose stated when the data were collected, and if the new purposes are not compatible with the original purpose, the Data Controller will need to rely on one of the five exceptions, or obtain new consent.
Data Controllers must conduct a Privacy Impact assessment (PIA) before undertaking any processing that presents a specific privacy risk due to its nature, scope, or purposes. A PIA is required where the processing (a) is a systematic and intensive evaluation of Personal Data that may produce legal effects for the Data Subject or significantly affect them (e.g., profiling); (b) involves special categories of Personal Data or data relating to criminal convictions on a large scale; or (c) is a systematic monitoring on a large scale. Further guidance from authorities in interpreting the scope of these requirements is needed.
Data Controllers must have a binding written agreement or other legal act that requires their Data Processors to implement the safeguards required by the GDPR. There are specific requirements for the contract language, including: the specific description of the subject matter of and the type of Personal Data, the duration of the processing, the nature and purpose of the processing, the categories of Data Subjects, the obligations and rights of the Data Controllers, and other specific stipulations. (See "Changes to Processing Contracts" below.)
Data Controllers have specific obligations to keep the following records: purposes of their processing, descriptions of categories of processing, categories of recipients and locations if in third countries, details of transfers of Personal Data to third countries, and descriptions of security measures. Businesses with less than 250 employees may be exempt from these record keeping requirements, unless their processing is risky, frequent, or includes Sensitive Personal Data.
Key Obligations of Data Processors. The GDPR will apply directly to Processors, which is a big change from the previous Data Protection Directive, under which Processors could be exempt. Processors will be jointly and severally liable with the Controller for compensation claims by Data Subjects. In addition, the GDPR creates a number of direct obligations for Data Processors:
Data Security: A Processor is required to implement appropriate technical and organizational measures to ensure adequate data security. Assessment of the requisite security must take into account “the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Data Breach Notification: In the event of a data breach, the Processor must notify the Controller “without undue delay.”
Following Controller’s Instructions: A Processor may not process any Personal Data except in accordance with instructions from the Controller. If a Processor acts outside the scope of its authority granted by the Controller, it will be considered to be a Controller and subject to Controller obligations under the GDPR.
Changes to Processing Contracts: Written contracts between Controllers and Processors are required. The mandatory provisions in all Processor contracts must address: the subject matter and duration of the processing; the nature and purpose of the processing; the type of Personal Data and categories of Data Subjects; and the obligations and rights of the Controller. In addition, under the processing contract, the Processor must: act only on the written instructions of the Controller; ensure that all people processing are subject to a duty of confidence; take appropriate measures to ensure the security of processing; engage sub-processors only with prior consent of the Controller; assist the Controller in providing Data Subjects access to exercise their rights; assist the Controller in meeting its GDPR obligations; return all Personal Data to the Controller at the end of the contract; and submit to audits and inspections. In In the future, standard contract clauses may be adopted by the EU Commission or the ICO, but no such clauses have yet been drafted. Guidance on international transfers is also expected from the Article 29 Working Party in the future.
Sub-Processing: A Processor may not use another Processor in connection with its processing of EU Personal Data without first receiving authorization from the Controller.
Designated Representatives: As with Controllers, when a Processor is not established in the EU but is still subject to the GDPR, it must designate a representative in one of the Member States in which one of the relevant Data Subjects is located, unless the processing is occasional or does not involve widespread processing of certain special categories of data.
Record-Keeping: Processors with 250 or more employees are required to maintain a record of all categories of processing activity carried out on behalf of a Controller including the following specific information: the name and contact details of the processor or processors and of each controller on behalf of which the controller is acting, and of the controller’s representative (if any); the name and contact details of the processor’s DPO (if any); the categories of transfers of Personal Data to a third country or an international organization; and where possible, a general description of the data security measures put in place by the Processor.
A Processor with fewer than 250 employees need only keep such records if it is undertaking processing that is likely to result in a risk to the rights and freedoms of Data Subjects, the processing is more than occasional, or the processing includes certain special categories of data relating to racial or ethnic origin, religious and other beliefs, sexual orientation, or criminal convictions and offenses. Records must be made available to a supervisory authority upon request.
Data Protection Officer: In in similar way that Controllers may be required to appoint a Data Protection Officer, Processors may also have such a requirement.
The Rights of Data Subjects. The individual whose Personal Data is processed (the Data Subject) will have a number of specific rights. The GDPR will make it harder to obtain an individual’s consent to have his/her Personal Data processed, and the individual can withdraw his/her consent at any time. The Data Subject has the right to obtain confirmation from the Data Controller if their Personal Data is being processed, where, and for what purpose. The Data Controller must provide a copy of the Personal Data, free of charge, in electronic form (Data Portability). A Data Subject also may require the Data Controller to erase their Personal Data, cease further dissemination of the Personal Data, and potentially, have third parties stop further processing of the Personal Data (the Right to be Forgotten).
Cross-Border Data Transfers. The GDPR restricts transfers of Personal Data outside the EU unless certain conditions are met. Personal Data can only be transferred outside the EU to third countries in compliance with the conditions of transfer. The third country must have adequate levels of protections that are "essentially equivalent to that ensured within the Union", and provide Data Subjects with effective and enforceable rights and means of redress. The U.S. laws are not "essentially equivalent." So, transfers to the U.S. must fall within one of the GDPR's derogations. Transfers of Personal Data can be made outside the EU where the Controller or Processor has provided adequate safeguards; provided, that Data Subjects are able to enforce their rights and legal remedies. Appropriate safeguards may be provided by a legally enforceable instrument between public authorities, Binding Corporate Rules (BCRs), Standard contractual clauses adopted or approved by the Commission, an approved Code of Conduct, or an approved certification mechanism.
Data Subjects will be granted a third party beneficiary right against the EU data exporter and, under certain circumstances, against the non-EU data importer to enforce several of the required contractual obligations.. Standard contractual clauses can be adopted in the future by the European Commission or adopted by supervisory authorities and approved by the Commission. Yet, such standard clauses have not yet been provided. Transfers on this basis will not require approval by national supervisory authorities. This will remove an existing administrative burden in some member states. In practice the use of the standard clauses (once published) will be the simplest and most practical way of ensuring compliance. (See the list of compulsory requirements in "Changes to Processing Contracts" above.)
Binding Corporate Rules (BCRs) are self-governing policies or guidelines established by certain multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of Personal Data across borders in compliance with the GDPR. This is a self-regulating effort which is an alternative to the defunct Safe Harbor, but does not constitute automatic compliance.
EU-U.S Privacy Shield and Certifications. In February of 2016, The U.S. and the EU reached a political agreement to implement a new Privacy Shield program. The EU adopted the framework in July of 2016. The 2016 EU-U.S. Privacy Shield would allow participating organizations in the U.S. to receive and process EU Personal Data. Organizations must self-certify as Privacy Shield-compliant, committing to process data only in accordance with the principles set forth by the program. Only organizations subject to the enforcement authority of the Federal Trade Commission or the Department of Transportation are eligible to participate. As of February 2017, the future of the Privacy Shield is uncertain because it has been contested by an number of privacy groups as inadequate.
Companies can also demonstrate compliance with the GDPR through Codes of Conduct and Certification mechanisms by accredited bodies. Codes of Conduct are prepared by associations or accreditation bodies representing categories of Controllers or Processors and must go through a specified approval process that differs depending on whether it governs processing activities in a single EU state or in several states. Certification entails the provision of an assessment and impartial third-party attestation that fulfilment of specified requirements have been demonstrated. The requirements are usually derived from technical standards or legislation (e.g., ISO/IEC 17067:2013 standard). Certification does not certify compliance, it merely provides a presumption of conformity with the GDPR.
Children. Consent from a child under age 16, in relation to online services, will only be valid if authorized by a parent. Member States may elect to reduce the age to 13.
Although the GDPR is intended to harmonize EU privacy laws, it’s likely there will be differences in the way the Regulation is interpreted and enforced in different Member States. Some areas in which Member State may increase the restrictions to protect privacy include children, employees’ data, national security, and national identity numbers.
Brexit and the GDPR. The GDPR will become directly applicable on 25 May 2018 before the UK leaves the EU (scheduled for 29 March 2019). Once the UK leaves the EU it will become a "third country" for the purposes of Personal Data transfers from the EU. It will be required to have an "adequate" level of data protections that of the EU so that Personal Data transfers from the EU to the UK can continue to take place. The UK government has confirmed that the UK will implement the GDPR and comply with the GDPR once Brexit has been completed.
INITIAL CHECKLIST TO CONSIDER FOR NEXT STEPS
The GDPR fundamentally changes the way U.S. technology companies handle Personal Data. Each Company’s requirements will be different. We welcome you to contact Anne@Bostontechlaw.com or David@Bostontechlaw.com if you have questions or need help setting up a compliance structure.
As a starting point, we recommend you consider the following steps:
Determine what Personal Data (as defined by the GDPR) you currently collect and want to collect in the future, why you collect the data, with whom you share it, how long you keep it, how you will use it, and your legal basis for processing the Personal Data.
Data Controllers should update their Processing Contract templates and ongoing contracts to include the new required language for Processing Contracts (discussed above).
Data Controllers should update their Privacy Policies and examine their processes for collection of Personal Data (as defined by DGPR, as applicable for EU residents). In those instances where consent is needed, determine how you will get consent and if your current consent approach is sufficient. Establish a mechanism to honor opt-outs or withdrawals of consent. Consider an automated tool to manage those requests.
Review your current tags and cookies to align data collection and retention with your current use. Remove unused data. Tailor your data collection practices to your business objectives and needs.
Protect Data by Design and Default. Implement appropriate technical and organizational safeguards when processing Personal Data, for example, use pseudonymization. Controllers should consider the state of the art, the costs of implementation, the context and purposes of processing, and the risks and severity of loss of privacy to the Data Subjects. Matching security measures appropriate to the sensitivity and extent of the Personal Data is key.
Document your risk mitigation efforts to help you establish an audit trail and demonstrate compliance. What are your processes for access controls and rights management? If you collect analytics, review existing Personal Data rights workflows, internal processes, and points of contact.
When possible, use approved Codes of Conduct or obtain approved certification (discussed in Part B.8. above).
In many cases, you may have to make subjective value judgements about whether your processing of Personal Data complies with the GDPR. For example, when you obtain consent, is there an imbalance of power? Even if you pursue a legitimate interest in processing Personal Data, does it override the Data Subject’s rights and interests? There will be many gray areas and possibilities for technical breaches. In managing risk, assess your processing activities as provided above and establish a plan and policies to demonstrate your compliance.
Boston Technology Law, PLLC
One Broadway, 14th Floor
Cambridge, MA 02142
t (617) 848-2605 | f (617) 848-2629