Even though the new EU privacy law General Data Protection Regulations (“GDPR”) takes effect in May 2018, many US based organizations have either not heard of the GDPR or may believe it only applies to organizations based in the EU. The truth is the GDPR applies to any organization that “offer[s] goods or services to, or monitor[s] the behaviour of, EU data subjects” regardless of the company’s location. GDPR replaces the 1995 EU Data Protection Directive 95/46/EC and is designed to strengthen and standardize European data privacy laws and ensure EU citizens’ data privacy rights.
Companies that have not already identified their data types, data flows, and customer citizenships are at risk of failing to comply with GDPR when it goes into effect in May 2018. Failure to comply with the GDPR could be very costly with fines tiered, based on the extent of the infringement, up to the greater of 4% of annual revenue or €20 Million for failing to protect the rights and data of data subjects!!!!
In the EU, data is owned by the subject and privacy is considered a fundamental right of the data subject. As such there are two concepts in the GDPR that are unnatural for U.S. based entities; the intertwined “Right to Access” and the “Right to be Forgotten.”
The right to access affords and data subject the ability to determine whether a data controller has:
…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Article 4(1)
So any organization that holds or processes personal identifiers of EU citizens must be ready to accept and address requests for access. Additionally, after determining that a data controller has data on the subject, the subject has the “right to be forgotten” and request the removal of the data “without undue delay.”
Organizations that do not have a complete and comprehensive mapping of their data in a manner that allows them to distinguish, retrieve, and remove it risk violation. How to approach protection from a cost-based approach is a decision for each organization. For some, segregating data of EU subjects may prove to be the best approach. If data is not classified, all data must be protected to the highest level; thereby increasing the cost of protections. By segregating the data of EU data subjects it can be protected to the appropriate level, rather than expending resources unnecessarily protecting less confidential data.
Some organizations though, such as those that collect financial or health information will find it more cost-effective to protect all personally identifiable information (PII) the same level.
The details, however, can only be addressed once an organization identifies the data they have, how that data flows across the world, and determine whether any of that data is covered by the GDPR. If an organization has not begun this process, time is running out.
Gardere Wynne Sewell LLP has a long history of directing its clients regarding privacy laws in the US and around the world. The expansion of the cybersecurity and privacy legal services team, provides a solid footing for developing and assessing cybersecurity and information security policies and procedures.