Many US firms are unaware the forthcoming General Data Protection Regulation (GDPR) law will apply to them, despite the heavy penalties of a fine of up to $23,773,000, or four per cent of the company's annual global turnover if they fail to comply. This law, which GDPR comes into effect in May 2018, will have a significant impact on how businesses globally manage personal data if they do business with any EU member state. US business will need to gear up to this new data protection law, which has been hailed the most important change in data privacy law in the last 20 years explains John Hayes.
It is widely considered to be the most important change in data privacy law in the last 20 years, intended to replace each different EU Member States' laws with a single, unifying data privacy law. The UK for instance will adopt the GDPR following Brexit as confirmed by the ICO (Information Commissioner in the UK). Given GDPR’s general application this makes perfect good sense.
Foreign to the US
The territorial reach of the new GDPR means that it will impact all US businesses (even those that are not located in the EU) who do business in the EU, or who process or hold data from individuals located in the EU, regardless of where that data is processed or stored. This is a big deal for US businesses. Worryingly, the research and advisory firm, Gartner, predicts that only half of those businesses impacted by the GDPR are likely to be compliant by the end of 2018.
This marks a significant shift for US businesses: there are no overarching data protection laws in the US which tend to be sector-specific. The GDPR therefore marks a significant departure for the US mind-set: it not only applies across all sectors and all businesses, but across all EU territories and into the US where businesses hold data on EU citizens.
Main takeaways of GDPR for US based businesses
US businesses need to prioritise below points to ensure they are well-positioned to deal with the new GDPR rules and regulations:
• Consent: Proving a legitimate interest, or data subject consent, is a fundamental aspect of the new law. Data subjects (e.g. employees) must be informed in unambiguous terms that their data is being collected and/or processed and must be notified of the specific use for such collection/processing. Consent must be freely given, specific, informed and unambiguous.
• Enforcement: There will be hefty fines for those businesses who fail to comply with the GDPR requirements: up to the greater of €20 million or four per cent of total annual worldwide turnover for the most serious breaches. Regulators will also be able to impose a ban on processing and suspend data transfers, and employees may seek monetary damages from employers (including US employers). Where a business suffers a data breach it will need to notify the relevant data protection regulator within 72 hours of it becoming aware of the breach. If the breach poses a high privacy risk for EU citizens, those individuals must also be notified.
• Scope: Data Processors are brought within the scope of the GDPR for the first time. These are classic service providers and do not need to be employers – the GDPR applies equally to businesses managing data even if those businesses have no direct means of obtaining consent from data subjects (these businesses will need to prove this from their clients).
• Retention: Data controllers (businesses) will be limited in terms of the length of time they can keep an individual’s data. It can be stored only for as long as necessary to perform the tasks for which it was collected.
• Rights of data subjects: Data subjects are entitled to request access to their data and can make requests for it to be rectified, deleted or transferred to another data controller. They can also withdraw their consent to their data being processed at any time.
• Monitoring: Data subjects will have the right not to be subjected to automated decision-making Companies involved in regular monitoring or the large-scale processing of sensitive personal data will also be required to appoint somebody independent as a Data Protection Officer whose role it is to ensure full compliance with the GDPR.
Transferring data to the US
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an ‘adequate’ level of personal data protection. In 2015, the US Safe Harbor Framework, which had previously been approved by the Commission, was held to no longer provide adequate data protection. The framework was subsequently replaced by the EU-US Privacy Shield and US businesses have been able to self-certify to the standards set out in the Privacy Shield since August 2016.
US businesses need to do the following in Q1 2018 to be GDPR compliant:
• Audit: Carry out a data audit to assess your current HR-related processing activities. This includes reviewing the personal data you hold, where it came from, where it is stored, who it is shared with, what it is used for, how long you
• Skilling: Ensure you have appropriate staff and/or advisers in place who understand the legal basis for processing data under the GDPR to enable you to determine permissible purposes for processing employee data.
• Contracts: Review and update your existing HR and data privacy policies and employment documents (or implement new ones where necessary). This will involve adding a new ‘privacy notice’ to UK contracts of employment and updating UK Employee Handbooks.
• Training: Ensure all staff from the Board down (and particularly those who handle personal data) are suitably trained on the new rules.
• Supplier contracts: Review supplier (or client) contracts and negotiate suitable GDPR compliant warranties and indemnities which protect your business.
• Reporting breaches: Put a response plan in place to ensure that in the case of a data breach, you can comply with your reporting obligations and recover as quickly as possible.
• Record keeping: Ensure you are ‘audit ready’ by ensuring that records of processing activities are well organised and easily accessible.
• Cross border: Consider what data transfer mechanisms you have in place and whether these continue to be appropriate.
This article first appeared in the April 2018 edition of Intercontinental Finance & Law.