30 Days to GDPR Compliance Deadline: Four Things to Know
The deadline for compliance with the new European Union General Data Protection Regulation (GDPR) is fast approaching. Companies subject to the sweeping new requirements now have only 30 days remaining to comply with the regulation.
In April 2016, the European Commission enacted GDPR as a comprehensive replacement of the previous EU Data Directive, giving companies a two-year grace period to fully comply with the regulation. GDPR imposes significant new requirements on companies with business ties to the European Union, as well as substantially expanding the material and territorial scope of European data protection laws.
1. More Companies Must Comply
GDPR has explicit extra-territorial reach, applying to non-EU companies engaged in specific activities in the EU or with EU citizens. Even if a company does not have established business operations in the EU, GDPR will still apply to companies that offer goods and services to data subjects in the EU or monitor the behavior of data subjects within the EU.
What does this mean for compliance? The broader territorial reach of GDPR means that companies – including those based in the United States – not previously subject to EU data protection laws will need to evaluate their business practices to understand whether GDPR applies to their operations. Even companies not directly marketing to or receiving personal data from EU citizens may still be subject to GDPR if they receive or process such personal data on behalf of another company.
2. More Data to Protect
GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” Unlike the previous definition of personal data under EU law, GDPR expands the application of the regulation to include unique identifiers, such as location data and online identifiers (e.g., IP address).
What does this mean for compliance? Some data that companies could previously use without much restriction may now be subject to the strict requirements of GDPR, particularly in regards to obtaining consent from individuals before collecting or using personal data. Complying with this requirement may require significant changes to current data collection and use practices. Companies will need to thoroughly assess and understand the types of information collected and how such information is used.
3. More Compliance Requirements to Meet
GDPR imposes significant new compliance requirements on companies, including substantial documentation of compliance with the new regulation. In particular, companies now need a legal basis for processing personal data and must be open and transparent with data subjects about data practices. Data subjects also now have individual rights they can exercise over their data, which companies must honor.
Additional obligations include specific contracting provisions with subcontractors and data breach notification requirements. On top of these requirements, companies must extensively document the decisions and actions taken on personal data, as well as their compliance with GDPR.
What does this mean for compliance? Compliance with these requirements will require potentially substantial changes to internal processes and business practices, and companies will need to carefully document their information practices. Additionally, companies should understand any contractual obligations they may have as a data controller or processor.
4. More Countries (and States) are Following Suit
The changes under GDPR are extensive, and many jurisdictions are trying to keep pace with the new requirements by implementing their own new laws. For some countries, like the Cayman Islands, the impetus for new data protection laws is to obtain an adequacy decision from the European Commission, which permits the free flow of personal data from the EU.
In other cases, jurisdictions are adopting provisions similar to GDPR to expand existing data protection regimes. For example, consumer rights similar to the data subject rights under GDPR have been incorporated into a ballot proposal in California. If the proposal is voted on and approved in November, companies doing business in California will face heightened privacy requirements regarding transparency and consumer choice.
What does this mean for compliance? Even if your company is not currently subject to GDPR, it is important to remain aware of the compliance requirements. It is likely that more jurisdictions will begin to consider similar data protection practices, particularly in light of recent high-profile news stories regarding data privacy and security. Taking a careful assessment of current data collection, use, and disclosure practices against the backdrop of GDPR can help highlight potential gaps or areas of focus for improving privacy and security capabilities.
If you have questions about complying with GDPR, or whether the regulation applies to your company, we welcome you to contact one of the leaders of our Cybersecurity and Privacy team.