GDPR: The Regulatory Iceberg of 2018

You're heading into dangerous waters. On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) goes into full effect, and it will almost certainly affect you. If you are not compliant with the GDPR by this date, you could face fines of up to 20 million Euros or 4% of worldwide annual revenue per breach. So it's important to understand whether the GDPR applies to your business, and if it does, what you must do to comply.

It probably applies to YOU

The GDPR is a comprehensive regulation meant to protect the personal data of EU citizens, wherever that data might be processed. It greatly expands the geographical scope of the EU data protection laws. In fact, the GDPR applies not only to organizations located within the EU, but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU residents. So US-based companies will need to comply with the GDPR if they are doing business (or attempting to do business) in the EU and are handling or storing any personal data of individuals residing in the EU. 
Personal data is broadly defined
Personal data” under the GDPR is broadly defined and covers far more information than one may initially believe. It comprises any information relating to an identified or identifiable natural person. If information can be used to identify the particular natural person using “all means reasonably likely to be used,” that information is “personal data” under the GPDR. That's right: data may be “personal data” even if the organization holding such data cannot itself identify a natural person. Names are not necessary for the information to be “identifiable;” any identifiers such as IP addresses, cookies or RFID tags are included.

How to comply

There's no getting around it. By this time next year, you will need to have done the following:
  1. Adopt accountability and governance measures. New provisions within the GDPR require that companies put governance measures in place so as to minimize the risk of breaches and to protect personal data. The GDPR also requires that in response to a breach, the controller without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the supervisory authority.
  2. Appoint a Data Protection Officer (DPO): Data controllers and processors are required to appoint DPOs to manage all affected data processing operations. The DPO is required to be an expert in data protection law, and must be allowed to act independently, reporting directly to the C-suite.
  3. Perform impact assessments. The GDPR requires data controllers to perform impact assessments before carrying out any data processing that is likely to involve high risks to the rights and freedoms of individuals. If the results of the assessment indicate a high risk, the controller must obtain a prior review by the relevant Data Protection Authority.
  4. Update data transfer policies. The GDPR imposes new restrictions on the transfer of personal data outside the EU. 
  5. Implement new policies to accommodate individual privacy rights. Under the GDPR, individuals have stronger rights, including, the right to be informed, the right of access, the right of rectification, the right to restrict processing, the right of data portability, the right to object, rights in relation to automated decision-making and profiling and the right to be forgotten/erasure. 
  6. Revise online consents.  If your terms of use are densely worded or confusing, you need to change them. The request for consent must be given in an easily accessible form, clearly indicating the purpose for data processing, and such consent must be clear and distinguishable from all other matters. If you intend to reuse existing data for new or different purposes, you'll need to explicitly obtain consent to do so. You will also have to obtain parental consent to process personal data of children under 16 years old. 
  7. Add "Privacy by Design"  to your development process. Privacy must now be built into any new products, systems, and processes using personal data at the time of development. 
  8. Add "Privacy by Default" to your operations. The GDPR requires that the strictest privacy settings be automatically applied once a business acquires a new product, system, or service (no manual configuration of the privacy settings should be required). You will need to document how you have built data privacy protections and processes into the initial design stages of any new project as well as throughout its life cycle.

Steps you need to take NOW

You need to immediately review what kinds of data you handle, from where and how you are gathering such data, how that data are processed, and what security mechanisms, policies, and procedures you have in place already. Then, if you believe you are subject to the GDPR, you will need to review the GDPR to see what you may need to add or modify in order to comply.

Contact K6 Legal to help you get things started. Don't get blindsided by the GDPR.

Comments

Post a Comment

Popular posts from this blog

SEC Cyber Unit files first charges

The Securities and Exchange Commission today announced it obtained an emergency asset freeze to halt a fast-moving Initial Coin Offering (ICO) fraud that raised up to $15 million from thousands of investors since August by falsely promising a 13-fold profit in less than a month. The SEC filed charges against a recidivist Quebec securities law violator, Dominic Lacroix, and his company, PlexCorps. The Commission's complaint, filed in federal court in Brooklyn, New York, alleges that Lacroix and PlexCorps marketed and sold securities called PlexCoin on the internet to investors in the U.S. and elsewhere, claiming that investments in PlexCoin would yield a 1,354 percent profit in less than 29 days. The SEC also charged Lacroix's partner, Sabrina Paradis-Royer, in connection with the scheme. Today's charges are the first filed by the SEC's new Cyber Unit. The unit was created in September to focus the Enforcement Division's cyber-related expertise on misconduct in
Read more

Stop passing blockchain laws

History has a way of repeating itself. Twenty years ago, when Amazon was just an experiment in online book sales and Google was just a Yahoo! copycat, nobody seemed to understand what the “Internet” actually was or how it would eventually affect our lives. That went double for lawyers, who in the mid-1990s pushed the panic button when the concept of online contracting became a reality. State lawmakers rushed to introduce statutes that would define and constrain this monster before it wrought havoc on the unsuspecting analog world of contract law. They came up with technology-specific, proscriptive rules for electronic signatures that, had they been successful, would have left the U.S. a patchwork of unworkable state laws that would have prevented electronic delivery and signatures for all kinds of transactions that we take for granted today. Fortunately, a model law called the Uniform Electronic Transactions Act (UETA) emerged that, in contrast to the initial view that online
Read more

Just Published: Free Library of Digital Policies

K6 Partners announced today the release of a free e-signature policy library at www.esignaturepolicies.com . “The lack of esignature policies–and the sense of certainty they provide– is the number 1 reason for delaying critical digital transformation initiatives,” said Ken Moyle , president of K6 Partners.  “The eSignature Policies site is designed to give transformation leaders a resource for learning more about esignature policy design.” Free Webinar: E-Signature Policies for the Public Sector K6 Partners previously announced that experts in public sector e-signature policy will offer a free webinar on July 11 , 2017 at 2:00 PM Eastern / 11:00 AM Pacific. Panelists from state and local governments will share insights on adopting and managing online citizen engagement. "State and local entities are looking for new ways to engage citizens and provide value through digital channels," Moyle said. "Yet they face challenges that are different from those faced by p
Read more