Are You Ready for the General Data Protection Regulation? A Checklist for U.S. Based Companies
OVERVIEW The new General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. If your U.S. business has an interest in the EU, or if you process data of citizens who reside within the EU, you will need to review your business processes, data flows, security practices, and train your people to comply with the GDPR. If you haven’t started already, don’t panic, but start planning a compliance strategy now. Smaller businesses or those handling smaller amounts of Personal Data may be caught off-guard. Intended to protect EU citizens from privacy and data breaches, and harmonize privacy laws in the EU, the GDPR will apply globally and require significant changes to privacy practices of U.S. companies. The three most significant changes, from the previous EU Privacy Directive, are that the GDPR will: (1) apply globally to protect Personal Data (defined in Part A.2. below) of individuals located in the EU, even if the data is collected for (or processed by) a company outside of the EU; (2) impose steeply increased fines; and (3) strengthen consent requirements such that confusing terms and ambiguous conditions will no longer protect the Data Controller or Data Processor. Almost any website that uses tracking cookies or a mobile app that retrieves relocation or usage information will be subject to the GDPR. In effect, the GDPR regulation is designed to pull in and impact the processes of U.S. technology companies. This is the biggest change to privacy and data protections in 20 years. There is still uncertainty about how the GDPR will be enforced and the regulation has much unclear language that will be subject to interpretation. For example, an organization must appoint a data protection officer if its core activities consist of monitoring individuals and is “large scale.” A company must implement a Privacy Impact Assessment (PIA) if it uses “systematic and extensive evaluation” of individuals. It’s currently unclear what these terms mean. GDPR Supervisory Authorities will need to provide further definitions about the terminology and clear guidance, specifically regarding the right to data portability, the concept of “high risk” “large scale” processing activities, the role of the data protection officer, and how and when Privacy Impact Assessments are to be implemented. This article provides an introduction to the impact of the GDPR on U.S. based companies. First, it provides a brief overview of the GDPR and key concepts. Then, it delves more deeply into compliance, including the nature of consent to use Personal Data, transfers of data, security, and datbreaches. Finally, it provides a checklist as a starting place for practical actions you can take now.