International Clients? Are They (and You) Prepared for GDPR?
As of May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) is now in effect. What does GDPR do, and what does it mean for companies which collect customer data? One thing it means is millions of dollars in fines for noncompliance. The time is now for corporate officers and corporate counsel to be fully up-to-speed on this sweeping regulation. Also, GDPR isn’t just for multi-national corporations but could affect just about any mom and pop shop that does business over the Internet. If you practice business law at all, you want to make sure you and your clients understand the implications of GDPR and how to comply. Learn more about GDPR below.
What is GDPR?
GDPR is a data privacy law designed to protect the personal information of private citizens that is obtained by companies doing business. Hopefully your clients already have policies in place defining how they collect, use and maintain customer data. If so, they will be on the right track toward GDPR compliance. Data privacy is historically much stronger in Europe than in the U.S., however, so if your clients are basically US domestic, they may not be prepared for the stricter and more detailed requirements of the GDPR.
Whom does GDPR apply to?
Companies operating in the European Union obviously need to care about GDPR, as do multinational corporations based in the US or elsewhere. But it is not just multinationals that need to know about GDPR. Any company that sells goods online and sells to someone in a European Union country is within the reach of GDPR. Do you have a client who owns a used book shop with an online presence and the ability to sell overseas? How about a company that packages and sells gift boxes of local food or merchandise? The smallest, local company needs to be ready for GDPR if it does any business with anyone in the EU. Any company, wherever it is based, is covered by the GDPR if it offers goods or services to people in the European Union or collects, processes or stores data tied to EU citizens.
What does GDPR require?
The GDPR is densely packed with 99 articles across 88 pages. Some of the key features required by the regulation include: Portability – customers can request that their data be transferred to them or to another company, even a direct competitor of the company currently holding the data; Mapping – companies need to prepare and maintain a comprehensive data map of what data they keep, how it is stored and how it is used; Breach – in the event of data loss or theft, companies have 72 hours to notify every applicable EU country about the data breach. For most US companies, the GDPR compresses what was previously a three-month process of identifying and dealing with the scope of a breach to only three days, in order to comply with the law.
What are the penalties for noncompliance?
Here’s where the new regulation should get your attention if it hasn’t yet. Penalties for noncompliance range up to the greater of 20 million Euros, (approximately 25 million dollars) or four percent of the company’s worldwide revenues. GDPR includes civil penalties in every EU country plus criminal penalties in some countries, as well as personal liability for corporate officers. The regulation authorizes individual civil suits, as well as class action lawsuits by advocacy groups against companies that lose customer data or otherwise fail to meet the requirements of GDPR.
What business clients need to know about GDPR?
Every US business attorney should be ready to counsel and represent their clients about GDPR. Large companies are spending millions to get into compliance and avoid serious fines. Much smaller companies need to do what it takes to get ready too. One cost-effective approach might be to partner with a cloud service provider for the collection and storage of customer information. These companies are in the business of handling data and have likely already taken the necessary steps to comply with the strictures of the GDPR.
On a final note, don’t be thinking only of the data your clients keep and how to advise them. If you have any clients in the EU or doing business overseas, your law firm likely is covered by GDPR as well, meaning you need to make sure your own data policies (you do have data policies, right?) are in order.
GDPR in a Nutshell: Rights of Individuals and Responsibilities of Companies
Rights of Individuals
- Right to erasure of data
- Right to access one’s data
- Right to correct errors
- Right to object to processing of data
- Right to have data transferred to the customer or even ported to another company
Responsibilities of Companies
- Provide notice of data collection policies
- Limit the use of personal data
- Define data retention and deletion policies
- Designate a Data Protection Officer (DPO)
- Notify the relevant authorities of a data breach within 72 hours
- Implement compliant contracts with vendors
- Monitor compliance