Starting next year, there will be new and stringent data protection laws in place in the European Union (“EU”) and the European Economic Area (“EEA”) – laws which may have a material impact on business located in the United States. Effective as of May 25, 2018, the new General Data Protection Regulation (“GDPR”) will apply to processing of personal data relating to individuals who are in the EU/EEA and in connection with activities in the EU/EEA, or in connection with monitoring behavior in the EU/EEA. The GDPR states that it applies to “natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.” The GDPR applies to controllers (the entity who determines the purposes and means for processing the personal data) and processors (the entity who performs any operations on the personal data, including storage or structuring of the data). Thus, if you or your business are a controller or processor in connection with the personal data of any EU/EEA subjects, you will now be subject to the GDPR even if you are not located in the EU/EEA and do not physically conduct any business there.
The GDPR requires those to whom it applies to maintain records of its processing activities and to be in a position to reveal how they comply with the data protection requirements and that they have appropriate procedures in place. The GDPR further requires entities to inform data subjects of its identity, how the personal information will be used, the lawful basis for processing the data, the data retention periods, and of the right to complain to the applicable Information Commissioner’s Office (“ICO”). All of this information must be provided in clear, concise and easy to understand language.
The GDPR provides individuals with the following rights with respect to their personal data being collected and deleted:
- The right to be informed of what data is being collected and why;
- The right to access their personal data;
- The right to have any incorrect information fixed;
- The right to have their personal data deleted;
- The right to restrict processing;
- The right of data portability;
- The right to object to the use of their personal data; and
- The right to not be subject to automated decision-making with respect to their data.
The GDPR has strengthened the requirement that there be a lawful basis for processing personal data (of which there are 6 justifications for regular personal data and 10 justifications for special categories of data) and data subjects must also now be informed of the lawful basis for the processing – often accomplished through a privacy notice.
The GDPR has updated and strengthened the consent requirements. Consent must be “freely given, specific, informed and unambiguous” and be given “by a statement or by a clear affirmative action . . . .” At OlenderFeldman, we have created a consent checklist for clients to follow to assure consent is adequately provided. While such a checklist is not required for legal compliance, it makes the process easier and more certain.
The GDPR also imposes new reporting requirements to the ICO (and possibly other governmental bodies depending on the type of breach and where it occurs and what information is breached), and under some circumstances, to the data subject, when an entity suffers a data breach.
Finally, the GDPR requires controllers and processors to implement appropriate technical and organizational measures proportionate to the risk.
If you have any questions about the GDPR, its applicability to you or your business, or seek additional details concerning any data privacy and protection matters related to your business, please contact Michael J. Feldman, Esq., CIPP.
 Certified Information Privacy Professional of the International Association of Privacy Professionals.