The
General Data Protection Regulation (GDPR) is here! Now, compliance and, thus,
the avoidance of hefty penalties should be a concern for any business
processing personal data of European Union citizens. Naturally, the first and
most important question is: what obligations, if any, are imputed to businesses
in regard to EU citizens under the new General Data Protection Regulation
(GDPR) scheme? The answer may surprise you: any company, regardless of whether
or not the company is physically present in the EU, that processes personal data
of natural persons (called “data subjects”) in the European Union (EU) for professional
or commercial purposes[1]
must comply with GDPR mandates[2].
This includes email-based marketing and newsletters. Interestingly, GDPR’s
application to “natural persons” means that data from corporations and other legal
entities do not fall within GDPR mandates.[3]
Also,
it is noted that there may be potential loopholes to GDPR that allow some to
fall outside GDPR compliance; however, such possibilities are outside the scope
of this article and may or may not actually remove compliance mandates.
Key Compliance Requirements:
Data
Audits: Companies
should audit personal data and document: what personal data are held; how and
where the data were acquired; and with whom the data are shared.[4]
If an entity has at least 250 employees or processes certain types of highly
sensitive personal data (e.g., religious or political beliefs, and similar), GDPR
generally requires that records be maintained as to what is collected and held.[5]
This also means information must be kept up-to-date, with inaccurate data being
deleted or corrected[6]
within the entity’s systems and with any third parties with whom the data have
been shared.
Privacy
Policies: Privacy
policies and notices should be reviewed and potentially updated.[7]
Privacy policies should reflect that data is processed in a lawful, fair, and
transparent manner.[8]
Thus, the following should be addressed to varying degrees based on whether
personal data have or have not been obtained from the data subject: (1) the
identity and contact information of the controlling or processing entity; (2) the
lawful basis for processing the data; (3) that data are being processed and the
purpose of the processing; (4) with whom the data will be shared; (4) how long
the data will be stored; (5) generally, the rights of the subject and the
obligations of the processing or controlling entity, as determined by GDPR; (6)
if data will be processed for a different use, thus requiring additional
disclosures[9];
and (7) lastly, the policy must be in plain language and easy to understand.[10]
Also,
note that where data are obtained from one other than the data subject, the
controlling or processing entity must, at specific times in relation to when
obtained and in what context, disclose to the data subject that it obtained data.[11]
Essentially,
the above means that privacy policies and notices will need to be separate and
distinct based upon how and from whom the data was received.
Rights
of Individuals:
GDPR enumerates a host of rights now enjoyed by data subjects: “the right to be
informed; the right to access; the right to rectification; the right to
erasure; the right to restrict processing; the right to data portability; the
right to object; and the right not be subject to automated decision-making
including profiling”.[12]
Thus, generally, GDPR gives data subjects the right to largely restrict,
direct, or otherwise control what and how personal data are used. Also note
that a data subject has the right to request information about what data an
entity possesses regarding the subject. Thus, procedures should be implemented
to address such requests fully and in a timely manner.
Lawful
Basis or Bases for Processing Personal Data: GDPR requires that, for processing of personal data
to occur, a controller or processor must have a lawful basis for doing so.[13]
Though only one basis is needed, it may prudent to have multiple bases for
processing personal data. Some such bases are: (1) where consent has been
obtained from the data subject; (2) where processing is necessary to perform a
data subject’s contract or perform activities at the request of the data
subject prior to forming a contract; and (3) where processing is necessary to
further legitimate interests of the controller or a third party, unless the
data subject’s interests or rights and freedoms override such legitimate
interests.[14]
Also,
please remember that there are certain requirements for consent[15],
special rules where children are involved[16];
and special rules for certain types of personal data (i.e., highly personal data
(religious beliefs, political beliefs, and others) and some criminal matters).[17]
Data
Breach Policies:
Generally, GDPR now requires controllers to notify the relevant authorities of
any personal data breach “without undue delay” and within 72 hours after
learning of the breach where such time period is feasible.[18]
Additionally,
where a breach likely brings a high risk to rights and freedoms of data
subjects, the breach must be communicated to data subjects without undue delay and
in plain language.[19]
Data
Protection by Design and Data Protection Impact Assessments: GDPR imparts upon controllers
and processors the general requirement to implement necessary technical and
organizational steps to create a default system where only the personal data
needed for processing are so processed, stored, and accessible.[20]
Further, where processing is likely to create high risk to rights and freedoms
of data subjects, such as where new technologies are in use, entities must
perform a data protection impact assessment.[21]
Data
Protection Officers:
Where processing is: (1) executed by a public authority or body, other than the
courts in a judicial capacity; or (2) executed by entities that, as part of
their core activities, monitor data subjects or process personal data on a
large scale, GDPR requires the appointment of a data protection officer (DPO)
within the organization and the publishing of contact information for the DPO.[22]
Articles 38 and 39 of GDPR set forth the scope of the DPO’s work, which is
generally to be involved with data protection and compliance within the entity.[23]
Lead
Supervisory Authority:
If an entity processes personal data in more than one EU member country, the
entity should determine which supervisory authority is the lead supervisory
authority for compliance with GDPR, as determined by the entity’s primary
location.[24]
A Note on Consent:
Consent
will likely be one of the predominant legal bases for processing personal data.
As such, it is necessary to explore the contours of consent with some
specificity.
GDPR
inserts a presumption that consent is not freely given.[25]
Thus, care should be used in determining if consent is the appropriate legal
basis to use in relation to personal data processing.[26]
Generally, consent requests must address the following: (1) the entity’s name must
be provided (and that of any third parties with access to the data), as well as
the purposes, methods, and uses of personal data; (2) must be separate and
distinct from other terms of use or service (e.g., in a separate document or
email); (3) should not be a pre-condition to use or service; (4) must be a
clear and affirmative action (no pre-checked boxes); (5) must address each type
of processing, if more than one; (6) must include information about the right
to withdraw consent, and withdrawal must be simply and easy to complete; and
(7) must be easy to read and understand.[27]
Additionally,
consent records for each consent obtained (who, when, what he or she was told,
how he or she consented, and whether consent has been withdrawn and, if so, when)
must be kept.[28] Reviewing
existing consents is strongly encouraged to ensure compliance with GDPR’s new,
more stringent consent standards.[29]
Lastly, give careful attention to any possible imbalance in the relationship
between the controller and data subject (e.g., employer/employee), as this
greatly raises the difficulty in achieving true consent under GDPR.[30]
The use of consent as a legal basis in such cases should likely be avoided.[31]
[1] GDPR, Recital 18,
https://gdpr-info.eu/recitals/no-18/.
[2] GDPR, Art. 3(2), https://gdpr-info.eu/art-3-gdpr/.
[3] GDPR, Art. 1(1), https://gdpr-info.eu/art-1-gdpr/; GDPR
Recital 1, https://gdpr-info.eu/recitals/no-1/; GDPR Recital 2, https://gdpr-info.eu/recitals/no-2/.
[4] Information Commissioner’s Office,
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.
[5] Id.
[6] GDPR, Art. 5(1), https://gdpr-info.eu/art-5-gdpr/.
[7] See Footnote 4.
[8] See Footnote 6.
[9] GDPR, Art. 13, https://gdpr-info.eu/art-13-gdpr/;
GDPR, Art. 14, https://gdpr-info.eu/art-14-gdpr/.
[10] GDPR, Recital 58,
https://gdpr-info.eu/recitals/no-58/.
[11] GDPR, Art. 14(3), https://gdpr-info.eu/art-14-gdpr/.
[12] See Footnote 5; GDPR, Chapter 3,
https://gdpr-info.eu/chapter-3/.
[13] GDPR, Art. 6, https://gdpr-info.eu/art-6-gdpr/.
[14] Id.
[15] GDPR, Art. 7, https://gdpr-info.eu/art-7-gdpr/.
[16] GDPR, Art. 8, https://gdpr-info.eu/art-8-gdpr/.
[17] GDPR, Art. 9, https://gdpr-info.eu/art-9-gdpr/; GDPR,
Art. 10, https://gdpr-info.eu/art-10-gdpr/.
[18] GDPR, Art. 33(1), https://gdpr-info.eu/art-33-gdpr/.
[19] GDPR, Art. 34, https://gdpr-info.eu/art-34-gdpr/.
[20] GDPR, Art. 25, https://gdpr-info.eu/art-25-gdpr/.
[21] GDPR, Art. 35(1), https://gdpr-info.eu/art-35-gdpr/.
[22] GDPR, Art. 37, https://gdpr-info.eu/art-37-gdpr/.
[23] GDPR, Art. 38, https://gdpr-info.eu/art-38-gdpr/;
GDPR, Art. 39, https://gdpr-info.eu/art-39-gdpr/.
[24] GDPR, Art. 60, https://gdpr-info.eu/art-60-gdpr/;
GDPR, Recital 124 https://gdpr-info.eu/recitals/no-124/.
[25] GDPR, Recital 43,
https://gdpr-info.eu/recitals/no-43/.
[26] Information Commissioner’s Office,
https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf.
[27] Id.
[28] Id.
[29] Id.
[30] Id.
