By Dino Medina, Esq., General Counsel at CDS, and Matthew F. Knouff, eDiscovery Counsel at CDS.
The EU’s General Data Protection Regulation (GDPR) was approved in April 2016 as part of the effort to bring consistency and clarity to laws surrounding personal data. This regulation concerns both the proactive security measures that must be taken to safeguard this data as well as the appropriate handling of data as it is exported from the EU to other jurisdictions. It represents a stronger stance than the Data Protection Directive (Directive 95/46/EC), which was adopted in 1995. Businesses that regularly handle electronically stored information (ESI) should take the time to familiarize themselves with the regulation and understand the impact it will have on their processes before enforcement begins on May 25, 2018.
- Regulation vs. Directive –The Data Protection Directive set forth minimum requirements for EU member states and permitted each member state to create its own more stringent laws. In contrast, the GDPR is a comprehensive body of law that generally preempts similar laws in EU member states. The GDPR is designed to unify the data privacy requirements across all 28 EU member states. In some cases, the GDPR represents a strengthening of protections surrounding the handling of personal data over previous individual member state legislation.
- Increased scope – The GDPR covers data stored within the EU, but also extends to the data of EU citizens being held in other jurisdictions. For example, a company with an online storefront that sells and ships goods from the United States to customers in the EU would need to take GDPR-mandated precautions with the personal data of these EU customers. It is important to note that the GDPR takes a stricter approach than US legislation in defining what constitutes personal data. Under the GDPR, personal photos, information revealing the philosophical and religious beliefs of an individual, and even social media usernames are considered personal data.
- Breach notification – Data subjects impacted by a breach must be notified within 72 hours of the company’s becoming aware of the incident. Similar breach notification laws are in place in forty-eight US states, as well as DC, Guam, Puerto Rico, and the US Virgin Islands, but these US jurisdictions stop short of determining a specific timeframe for notification. The GDPR’s strict and specific notification timeline may provide a template for future legislation around the globe.
- Data Protection Officers – The GDPR requires a Data Protection Officer (DPO) at any company that processes and stores a large amount of personal data, regardless of whether this data belongs to employees or clients. Currently, different countries have different requirements for companies that must have DPOs, with the focus on industries like healthcare and finance where personal data is part of everyday business. Only Germany and Croatia mandate the presence of a DPO across industries. While not every company will be required to appoint a DPO, it may be wise to have an expert in this role to handle privacy-related issues that will arise as a result of GDPR legislation.
- Data transfer – Businesses certified under the EU-US Privacy Shield framework are considered to have an “adequate” level of personal data protection. The future of Privacy Shield is not set in stone, however, and multiple challenges face the framework from both US and EU sides. The only guarantee is businesses that handle cross-border transfer of data must keep a close watch on the evolution of Privacy Shield, which comes up for its first annual review this September.
- Penalties for non-compliance –Non-compliance with the articles of the GDPR can lead to fines of up to 4% of an entity’s global revenue or 20 million Euros (approximately $23.5MM), whichever is greater. Fines will be levied based on the severity of the infraction, with the highest penalties attached to violating core Privacy by Design concepts embedded in the legislation.
The GDPR represents a shift from viewing personal data privacy and security as a “nice to have” to a “must have” for US businesses that handle cross-border ESI. Be certain that your firm is ready for enforcement next year.
Contact CDS today for a consultation with our cross-border data experts.
CDS is not a law firm and is not authorized to provide legal advice in any jurisdiction. These materials are for informational purposes only. They are not intended, and should not be construed, as legal advice on any particular set of facts or circumstances.