How does The European General Data Protection Regulation affect US companies?
HOW DOES GDPR AFFECT U.S. COMPANIES AND WHY SHOULD WE CARE?
WHat is GDPR?
What is in The GDPR?
The GDPR is The European General Data Protection Regulation (GDPR), Europe's new framework for data protection laws – it replaces the previous 1995 data protection directive, it comes into force on May 25 2018. GDPR will change how businesses and public sector organizations can handle the information of customers, prospects and employees.
GDPR not only applies to organizations located within the EU, but it also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.
On Friday, May 25, 2018, the GDPR supervisory authorities will begin to enforce the 99 articles that protect personal rights.
- Penalties are steep for non-compliance. Organizations can be fined up to 4% of annual global turnover, or 20,000,000 Euros.
- GDPR shifts the burden-of-proof to companies. Companies being investigated will be subject to lengthy (years) of investigations.
- The owners, shareholders, or members of a corporation can be held personally liable for corporate debts (Art. 82).
By passing GDPR (Regulation (EU) 2016/679), the European Parliament, the Council of the European Union, and the European Commission plan to strengthen and unify data protection within the European Union (EU). GDPR also addresses the export of personal data outside the EU.
When GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. GDPR was adopted on April 27, 2016, and becomes enforceable on Friday, May 25, 2018, after a two-year transition period. Unlike a directive, GDPR does not require national governments to pass any enabling legislation, and is directly binding and applicable.
GDPR’s main focus is to give the control of personal data back to citizens and residents, as well as simplify the regulatory environment for international business by unifying the regulation within the EU.
The full text of GDPR includes 99 articles within 11 chapters explaining the rights of individuals and obligations placed on organizations covered by the regulation. These include giving people easier access to their data held by companies, a new fines regime, and a clear responsibility for organizations to obtain the consent of people they collect information about. Articles to note
Article 5 (Principles relating to processing of personal data) contains explicit accountability, which forces the data controller to be able to prove compliance with the requirements of the GDPR, if necessary, to the supervisory authorities.
Article 6 (Lawfulness of processing). The central condition here is that the data subject has explicitly agreed to the processing of his or her data for one or more specific purposes. For companies that work with personal data, this means that at the moment of the very first interaction with a new user or customer, it must be ensured that consent to the processing of the data is requested in a manner that complies with the GDPR.
Article 7 (Conditions for Consent) specifies stricter requirements for consent than those common in current national data protection laws. Companies need to pay more attention than before to detailed documentation of the consent and the option to revoke a given consent.
Article 83 (General conditions for imposing administrative fines) defines the amount of fines to be imposed which are high even with minor violations, if for example no appropriate security measures according to the technological state of the art are implemented, impending fines of up to EUR 10 million, or (for companies) up to 2% of the worldwide annual turnover are possible. In the case of infringements of the central principles of the regulation (in particular Articles 5, 6, 7 and 9) or of the rights of the data subject (Articles 12 to 22), the amount of the fine can be increased to up to EUR 20 million or in the case of companies to up to 4% of the worldwide annual turnover.
Article 17 (Right to be forgotten). The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where specific scenarios apply such as, the data is no longer necessary, the data subject withdraws consent.
Article 20 (Data Portability). This article stipulates that service providers and data processors must be able to offer each data subject the opportunity to export the aggregated data in a machine-readable format within a reasonable period of time. This right only includes data that was provided by the data subject or generated by her direct actions.
Article 25 (Data protection by design and default). Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance.