The EU and the US have very different privacy regimes. Although US privacy laws tend to be sector or topic-specific – such as the Gramm Leach-Bliley Act – the EU has an overarching privacy law: Directive 95/46/EC. This EU directive provides for various restrictions and requirements for the processing of EU personal data by all companies, regardless of sector, including the transfer of that personal data to the US.
The new European General Data Protection Regulation (GDPR) will replace the existing directive in May 2018 and, importantly, will expand its jurisdictional reach to US companies processing EU personal data in the US. As a result, US companies should review the reach and requirements of the GDPR to ensure they comply with the law. Firms’ compliance teams and boards should pay particular attention to key facets of the reforms.
Regulation vs directive: The GDPR is a regulation rather than a directive. This means it does not need to be implemented by each EU member state, as is the case with the current EU directive. Instead, it is directly applicable to each member state. There will therefore be more consistency among EU countries, although the GDPR allows for variations by member states in applying certain provisions.
Jurisdictional scope: In a significant departure from the current EU directive, the GDPR will apply not only to businesses that are established in the EU, but also to any organizations located outside of the EU that process personal data in relation to the offer of goods or services to individuals within the EU, or as a result of monitoring individuals within the bloc. By contrast, the EU directive applies only to organizations established in the EU or those that use equipment situated in the EU to process personal data.
Fines for non-compliance: The maximum fine for non-compliance will be substantially increased to up to 4 percent of an enterprise’s worldwide turnover or €20 million ($24 million) per infringement, whichever is higher.
New data breach notification obligations: Organizations will now be required to notify the relevant EU data protection authority of any data breach without undue delay and, where feasible, within 72 hours. Organizations will also have to notify individuals of a data breach without undue delay if the breach presents a high risk to the individuals concerned.
Privacy by design: Organizations must implement ‘privacy by design’ to ensure an appropriate level of data protection is provided by default when personal data is being processed.
Data mapping and data protection impact assessments: Organizations may need to appoint a data protection officer in certain circumstances to monitor the organization’s compliance with the GDPR. In addition, organizations carrying out higher-risk processing will also be required to map their personal data processing and to undertake data protection impact assessments.
Rights: The GDPR strengthens individuals’ rights with respect to their personal data. People will have the right to: – have their personal data removed from systems or online content under certain circumstances (this is known as the ‘right to be forgotten’) – avoid being subjected to automated data profiling in situations where this would produce a legal effect – be given a copy of their personal data in a commonly used format and to have that information transmitted to another party in certain circumstances (this is known as the ‘right to data portability’).
Additional processor contract requirements: The GDPR adds direct obligations for processors such as vendors. These include requirements to provide appropriate security and to document their processing activities. It also adds several requirements regarding what needs to be included in a contract with a processor that are not required by the current EU directive, such as the requirement to delete or return all personal data to the controller after the end of the provision of the services related to the processing.
NEXT STEPS
A company should conduct a preliminary assessment, based on jurisdictional scope, to determine whether it will need to comply with the GDPR – even if it is not subject to the existing EU directive. If a company needs to comply with the GDPR, it should then take the following key steps.
Formulate a plan: Boards of directors and other senior management should understand the changes to the data protection law and how it will affect the business. Senior management should appoint a cross-departmental GDPR implementation team that will formulate a detailed step-by-step plan with appropriate milestones for how the company will implement the requirements of the GDPR.
Map the flows of personal data: It is essential for companies to conduct a detailed investigation into the flows of personal data. To that end, the GDPR implementation team should review all relevant processes and systems that deal with the collection, processing and use of personal data. The outcome of this exercise should ideally be a comprehensive overview of all processing activities the company performs or has third parties perform on its behalf.
Review the grounds under which personal data is being processed: It is mandatory to determine the legal basis under which personal data is being lawfully collected, processed and used, and whether any changes need to be made for this to continue under the GDPR.
Address risks: Data protection impact assessments should be conducted in order to identify and minimize the risks associated with the processing of personal data by the company, particularly where there are high risks to the rights and freedoms of the individuals concerned by the activities that are being carried out.
Consider hiring a data protection officer: A decision must be made as to whether the company is required under the GDPR or supplementary local legislation to appoint a data protection officer. The data protection officer will be responsible for monitoring compliance with the GDPR. This person should act as head of the data protection governance structure, report directly to the board of directors or senior management, put controls in place to implement and monitor compliance, and educate the wider workforce on the GDPR rules and their operational impact.
Implement new compliance systems: Plans and mechanisms must be put in place to ensure the business can respond to a data breach and the new data breach notification requirements, as well as support the rights individuals can exercise in relation to their personal data - including the right to be forgotten, the right to data portability, the right to object to automated data profiling and the right to be provided with access to personal data.
Update the data governance: Policies, procedures and other governance controls within the company should be updated to detail how the organization will practically comply with the new requirements under the GDPR. Employees should receive training on this and should be regularly updated. In particular, corporate secretaries, –who often deal with records and documentation and are increasingly involved in corporate compliance – should be aware of the new GDPR requirements.
Draft and maintain records of processing activities: Based on the information in the data flow map, the company needs to draft detailed records of processing activities that specify, among other things, a description of the processing activity, the categories of data subjects and personal data concerned, the purposes of the processing activity and the parties with which the personal data is being shared. These records must be kept in writing, but doing so in electronic form is sufficient. It is equally important to establish a process for ensuring these records are kept up to date as processes change over time.
Review supply chain contracts: The contracts with service providers and other parties with which the business shares personal data should be reviewed and, where necessary, renegotiated to ensure all parties are complying with their GDPR obligations, including the new contractual requirements.
Assess international data transfers: Companies should assess the manner in which they currently carry out any international transfers of personal data, in particular to countries outside of the EU/ European Economic Area, and whether any mechanisms for carrying out these transfers within the organization or to third parties need to be updated to comply with the GDPR. This is also the case for companies with affiliates or branches in the EU, as they will be subject to the GDPR provisions when transferring personal data from their EU locations to their US headquarters.
Kendall Burman (counsel, Washington, DC), Diletta De Cicco (legal professional/ consultant, Brussels), Charles-Albert Helleputte (partner, Brussels) and Lei Shen (senior associate, Chicago) are with Mayer Brown. This article was written with assistance from Björn Vollmuth (counsel, Frankfurt) and Oliver Yaros (partner, London).
This article originally appeared in the Winter issue of Corporate Secretary.
