“Everyone has the right to respect for his private and family life, his home and his correspondence.” – 1950 European Convention on Human Rights
Known as the toughest privacy and security law in the world, the General Data Protection Regulation (GDPR) was implemented by the European Union (EU) in 2018, imposing obligations on companies that target or collect data on people who reside in or are citizens of the EU (EU Individuals). GDPR is designed to give EU Individuals more control over their personal data, including how it is collected, used, and protected.
GDPR applies to companies that process EU Individuals’ personal data or offer goods and services to EU Individuals. In understanding who plays what role in these situations, the EU has provided definitions for the actors and their activities subject to GDPR:
“Personal Data” is any information that relates to an individual who can be directly or indirectly identified, including their name, email address, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions. Pseudonymous data can be personal data if you can easily identify the individual from it.
“Data Processing” is any action performed on data, whether automated or manual, including collecting, recording, organizing, structuring, storing, using, or erasing any information.
“Data Subject” is the person whose personal data is processed, such as customers or site visitors.
“Data Controller” is the person who decides why and how personal data will be processed, including an owner or employee of a company who handles personal data.
“Data Processor” is a third party that processes personal data on behalf of a data controller.
GDPR requires companies to adhere to its regulations in using and securing personal data. Companies must safeguard personal data and justify its collection or face heavy fines and penalties, which may be up to the higher of $24.1 million or 4% of a company’s annual global turnover.
Notable Fines Against US Companies For Non-Compliance
EU member states have taken enforcement actions against US companies for data breaches and unlawful data processing. For example, in 2019, Google was fined $56.6 million for failing to provide more information to users in consent policies and falling short in granting users more control over how their personal data was processed. A year later, Google was fined $7.9 million for not fulfilling the rights of data subjects, specifically, by failing to ensure a process was in place to response to data subjects’ requests for erasure without undue delay and within one month of receipt.
Marriott was fined $23.8 million for failing to perform adequate due diligence to detect a computer hack that exposed 383 million guest records (30 million EU Individuals) which could have been prevented with a stronger data loss prevention strategy and better de-identification methods.
There are current investigations ongoing against US companies, many of which are directed at tech-based companies that use personal data in their daily operations.
Which Companies Must Comply With GDPR?
The examples above involve well-known large US companies, but GDPR still applies to small and medium-sized companies engaging in “professional or commercial activity.” Specifically, GDPR applies to:
- Companies that process personal data as a data controller or data processor in the EU, regardless of whether the processing takes place in the EU.
- Companies that process personal data of data subjects in the EU, which need not be an EU-based company. The data processing activities subject to GDPR including offering goods or services to EU Individuals, or monitoring an EU Individuals’ behavior within the EU.
- Companies that process personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
The EU provides guidance on what it means to “offer goods and services” or to “monitor behavior”. Basically, if your company sets out to sell goods or services to EU Individuals as customers, then it is subject to GDPR; or, if your company uses web tools to track cookies or IP addresses of EU Individuals, then it is subject to GDPR. Even if your company has little or nothing to do with the EU, the slightest tracking, gathering or processing of any EU Individual’s personal data will subject it to GDPR.
There are only a couple of exemptions from GDPR, one of which is for companies that engage in “purely personal or household activities.” Also, companies with fewer than 250 employees are relieved (not exempt) from GDPR’s record-keeping obligations.
What Must a Company Do To Become GDPR Compliant?
If your company is subject to GDPR, first and foremost is to adopt a Data Processing Agreement (DPA), develop a GDPR compliance checklist, and implement a Data Protection Impact Assessment (DPIA).
- Data Processing Agreement. The DPA sets out the parties’ rights and obligations to protect EU Individuals’ personal information. A DPA must include:
- the data processor agrees to process personal data only as instructed in writing by the data controller;
- confidentiality obligations apply to all parties;
- technical and organizational measures must be used to protect the personal data;
- the data processor is prohibited from subcontracting its duties unless authorized or instructed to do so by the data controller, and if permitted, then the sub-processor must also sign the DPA;
- the data processor must assist the data controller in meeting GDPR obligations, especially with regard to protecting data subjects’ rights, security of data processing, and consulting with the data protection authority prior to engaging in a high-risk data processing;
- the data process must destroy or return all personal data to the data controller upon the termination of the services; and
- the data processor must permit the data controller to conduct an audit and cooperate in providing all requested information necessary for the data controller to ensure GDPR compliance.
- Compliance Checklist. To help maintain compliance with GDPR, data controllers should develop a GDPR compliance checklist. A GDPR compliance checklist covers points on data processing activities and justifications, how the data processor is protecting personal data, names of parties who are accountable for ensuring adherence to the regulations, and the process to respond to data subjects’ privacy rights and requests.
- Data Protection Impact Assessment. If your company is embarking on a new project that involves “high risk” to the rights and freedoms of EU Individuals, you need to implement a DPIA. This is a new requirement under the updated GDPR. A data controller must assess the data processing operations that may have a high risk in processing EU Individuals’ personal data. High risk activities include using new technologies, tracking people’s location or behavior, systematically monitoring a publicly accessible place, processing sensitive personal data, or processing children’s data. Best practices for your company is to conduct a DPIA regardless of whether the new project is high risk.