The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect May 25th. The GDPR offers strict new rules around protecting personal data of EU citizens for transactions that occur within EU member nations.
It is important for US companies selling goods or services in the EU, or with a web presence, to understand the scope of the GDPR as compliance with the new standards will be challenging for all companies who are subject to them and the fines for non-compliance are severe. While large, data-driven US companies have likely been planning for the GDPR for months, smaller US companies handling small amounts of EU personal data will also have to plan for the new rules.
Here is a brief overview of what US companies should be aware of relating to the GDPR:
General Data Protection Regulation Overview
Basically, any company that stores or processes personal information from EU residents located in the EU, even if the company does not have a physical presence in the EU, must comply with the new rules.
The GDPR very broadly defines the personal data which companies must protect, so not only does the GDPR protect basic identity information (name, address, government issued ID number), it also protects behavioral data collected from cookies used for profiling individuals.
Unless a permissible lawful basis for processing the personal data of an EU resident exists (items listed in Article 6 of the GDPR which include processing necessary for compliance with a legal obligation and processing necessary for the vital interests of the EU resident), EU residents must consent to the processing of their data. The consent must be freely given, specific, informed and unambiguous (pre-checked opt-in boxes do not qualify as valid consent).
Companies may not keep personal data for longer than necessary and EU residents have the “right to be forgotten,” meaning the right to request the deletion of their personal data.
The General Data Protection Regulation divides companies processing personal data into two categories: data controllers (companies that own the data) and data processors (outside third parties who help process or manage the data on behalf of data controllers). Data controllers and data processors will have joint liability under the GDPR, meaning a data controller could be liable if a third-party vendor fails to comply. The GDPR contains a detailed list of the contractual requirements that should be in place in any agreement between a data controller and data processor.
The requirements of the General Data Protection Regulation are demanding. Given the intentionally broad applicability of the regulation, any US company doing business in the EU or with a web presence intended to attract customers in the EU, are going to be subject to it. These companies, if they have not already done so, should invest the time and resources to fully understand how they use, process, store, transfer and share personal data and the obligations under the GDPR that come with this.