The GDPR And You

Laura Clark Fey, a member of the inaugural class of the International Association of Privacy Professionals’ (IAPP) Fellows of Information Privacy, and one of 27 recognized privacy law specialists in the country as certified by the IAPP, says if you’re practicing law in Missouri or Kansas, you need to be schooled on the EU’s General Data Protection Regulation. Here’s why.

The European General Data Protection Regulation (GDPR), which took effect May 25, 2018, is the most significant data protection law to be passed in decades. In 26 years of practice, I have never seen a new privacy law attract as much attention from clients. The three main reasons are: 1) its extraordinarily broad territorial reach; 2) its onerous compliance obligations; and 3) its jaw-dropping financial penalties.  

The main thing clients want to know, of course, is whether the GDPR is applicable to them. The GDPR can apply to a wide range of entities—from huge multinationals with establishments in the EU to small shops located only in Missouri or Kansas; and from multibillion-dollar corporations to not-for-profit entities. 

As a general rule, if an organization collects, stores or otherwise processes the personal data of EU data subjects in connection with offering goods or services to EU data subjects, or monitors subjects in the EU, or if an organization is retained by a business customer to perform any services that involve processing EU personal data, the GDPR applies.  

Clients want to drill down to their specific compliance obligations. With 99 articles, the GDPR is daunting. Organizations with solid U.S. privacy programs should already be familiar with some GDPR data protection concepts—like notice, consent and data breach notification. But implementing those requirements for GDPR compliance purposes is more challenging than implementing those requirements for purposes of compliance with most other privacy laws. Why? For a start, GDPR requires a wider breadth of information to be covered in privacy notices; places significant limitations on valid consent (and allows withdrawal of consent at any time); and has an extremely short data-breach notification period. 

Other GDPR concepts may be entirely unfamiliar, like EU data subjects’ data portability and erasure rights, and data protection by design and default. The vocabulary is a little tricky, too—key legal obligations vary depending on whether an entity is a “controller” (determining the purposes and essential means of processing) or a “processor” (collecting, storing, using or disseminating personal data on behalf of a controller). Even “personal data” is defined much more broadly: Under the GDPR, it means any information relating to an identified or identifiable natural person. This includes everything from a name to a facial photograph to a device identifier.

For organizations, the best practice is to analyze gaps in compliance and develop a phased GDPR-readiness plan that focuses first on their highest areas of non-compliance risk. For most organizations, this will include updating privacy notices; negotiating and signing contract addenda with third-party service providers; implementing processes to appropriately address EU data subject requests; safeguarding personal data; and maintaining appropriate records of processing activities.

It is critical that organizations affected by the GDPR understand the risks of noncompliance. High regulatory fines—which can be as much as 20 million euros or 4 percent of an entity’s annual worldwide revenue—have made headlines. But the UK’s Information Commissioner, Elizabeth Denham, offers a reality check: She notes it’s “scaremongering” to suggest maximum fines will be the norm. The greater risk that most organizations may face is that regulators may ban them from processing EU personal data or suspend their cross-border data transfers. 

The GDPR is often viewed as a law to be feared. But here are three good reasons why the Missouri and Kansas companies to which GDPR applies—and the lawyers representing them—should embrace it. 

First, as a baseline for compliance, organizations must understand the different types of personal data they collect, how they protect it and how they transfer it to third parties. The knowledge gained through this fact-gathering process is highly valuable.  

Second, GDPR compliance is a business asset. New clients increasingly engage my firm (and potentially yours) because their customers are requiring GDPR compliance. Many organizations are even using compliance as a selling point.  

Third, countries outside the EU have now started to adopt GDPR-like laws. Compliance with the GDPR, often referred to as the “gold standard for global data protection,” will move organizations ever closer to privacy compliance on a global scale—and that’s good news for everyone.