Get updates by email

Select Specific Blog Updates

Paul Zimmerman
pzimmerman@mrllp.com
310.299.5500

Photo of M&R Blog

Dmitry Sergeev © 123RF.com

GDPR contact: Scott Lyon
714.557.7990 | slyon@mrllp.com

GDPR Compliance Strategy

The European Union adopted the General Data Protection Regulation (GDPR) on April 27, 2016, establishing the rights and freedoms of EU residents with regard to how their personal data is collected, processed, shared, and retained. No surprise that companies around the world, including clients of Michelman & Robinson, LLP in a range of industries, are struggling to understand how the GDPR will impact their business operations and how they should respond. As the May 25, 2018 deadline for compliance is fast approaching, we thought it would helpful to provide answers to some of the most frequently ask questions about GDPR.

I’m a retailer based in the United States with no operations in the European Union. I have a few customers who purchase my products from the EU through my e-commerce portal, but they’re less than 5% of my total customer base. Does the GDPR apply to me?

Yes. The GDPR purports to apply to all cases where any one of the following are based in or operate from the EU: 1) the data controller (the company that collects EU resident data); 2) the processor (the company that processes data for the data controller, such as a shipping vendor, website host, etc.); or 3) the data subject (the EU resident). There is no minimum threshold for compliance; if an organization collects the data from a single EU resident, it needs to treat that data in compliance with the GDPR.

But I don’t collect “personally identifiable information (PII),” just a name, e-mail address, and IP address. I don’t have any personal identifiers (ex: driver’s license numbers), bank account information, or protected health information (PHI). Do I still have to comply?

Again, the answer is yes. The GDPR focuses on “personal data,” which is different from and much broader than PII. “Personal data” is defined in Article 4 as “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” That being said, even if your website is only logging visitors’ IP addresses or collecting email addresses, you may have an obligation to comply with the GDPR. (As a technical aside, not including data subjects using static IP addresses who are more easily identifiable, even an IP address temporarily assigned to an individual using DHCP (Dynamic Host Configuration Protocol) could be used to identify an individual but this would require logs from the data subject’s ISP).

Can I just get my EU customers to waive GDPR compliance in exchange for using my website?

No. GDPR rights cannot be waived, though one way to collect, process or use a data subject’s personal data is by obtaining their consent.

Something else to consider: the GDPR creates a “fundamental right” for EU residents to control how their data is collected, processed or retained. This is not an “absolute right” in the sense that businesses have some right to collect or retain personal data if they obtain prior consent, require the information to fulfill a contract with the data subject, or need the information to comply with a legal obligation (such as a tax or regulatory reporting obligation). A good analogy may be the “freedom of speech” in the U.S; to wit, we have a fundamental right to communicate opinions and ideas, though it is not an absolute right because a person cannot freely defame someone, yell “fire” in a crowded theater, or reveal certain information in defiance of a nondisclosure agreement. In this way, the EU has transformed personal data from a publicly tradable commodity to something inherently tied to individuals.

So if I include a provision on my website privacy policy (there’s a link to it on the bottom of my website that no one except my lawyers seems to know about), implying consent if they continue using the website, is that sufficient?

No. Data subjects must take some affirmative action to indicate their consent, after you have fully informed them why you are collecting their data, how you will use it, who you will share it with, and how long you will keep it. This can be in the form of an unchecked consent box (note: you cannot pre-check it for them) or a text field where they can “digitally sign” or enter the words “I consent.” All consent must be verifiable, so it is important to maintain records (date, time, IP address, etc.) and keep in mind that consent can be withdrawn (see below).  Also, consent for minors must be given by the child’s parent or custodian, which must also be verifiable.

What if they submit an order? I need their personal data to send them their products.

If data collection or processing is necessary for the performance of a contract to which the data subject is a party, then the initial collection or processing may be lawful. However, once the order is fulfilled, the data subject can request that you delete their information (i.e. the “right to erasure”) and unless you qualify for a limited set of exceptions, you must comply. Data subjects can also request to view their data (to see what has been collected), correct their data (to verify its accuracy), and transfer their data to someone else including your competitors (requiring you to produce it for them in a structured open standard format).

What if I want to use past order information to profile my customers, so I can offer them more relevant products and services in the future?

The key question is: did they give their consent to using their information in this way?  If they only provided their information based on the representation that you would use it to fulfill an order, then you cannot use it for any other purpose without getting further consent from them.

My company keeps customer data spread out among multiple departments and backup facilities. How am I supposed to manage all of this data just for EU residents?

GDPR compliance is not something an organization can satisfy overnight, and once achieved it is a continuous compliance obligation. There are many different ways that data can be managed for GDPR compliance; however, most begin by performing data mapping (that is, identifying what types of data are being stored in different locations within your organization).  Data can then be consolidated and indexed based on type (PII v. non-PII), jurisdiction (EU v. other), and sensitivity (credit card information, healthcare, etc.). Where appropriate, techniques such as tokenization, pseudonymization, and encryption can be used to both protect personal data as well as make it useful for other purposes (for example, de-identified data not subject to re-identification may be excluded from the data subject’s rights to erasure or right to data portability). You should also consider appointing a Data Protection Officer (in some cases, if your company’s core activities consist of processing operations that require regular and systematic monitoring of data subjects, you may have to anyway). This person will be responsible for monitoring the company’s data protection practices and ensuring GDPR compliance. Appointment of a DPO can be very helpful because it centralizes authority to implement GDPR-compliant policies and ensures that everyone is working from the same playbook.

What if my customer lists get hacked or I accidentally email the wrong customer information to the wrong email address? How does the GDPR require me to respond?

As a data collector or data processor, you are required to maintain the security of the data entrusted to you. If that data is breached (either externally or internally, accidentally or intentionally), the EU Supervisory Authority must be notified within 72 hours after you become aware of the data breach. Affected data subjects must be notified if there would be an adverse impact (which can include loss of control over their data). However, there is an exception if the data is rendered unintelligible to the person who acquires it, such as in the case of encryption, assuming that the recipient does not also obtain the encryption keys.

What if I decide to accept the risk of non-compliance and “roll the dice” that they don’t target me for an enforcement action? What’s the potential penalty?

GDPR sanctions are severe, to say the least. You may be given a written warning for first or non-intentional cases of non-compliance, but you can also be fined the greater of 20,000,000 Euro or 4% of your annual worldwide turnover, depending on the type and severity of the violation.  You could also be ordered to submit to regular periodic data protection audits.

Okay, it sounds like I have got to comply. Where do I start?

There are several steps you can take right away to move toward GDPR compliance:

Data mapping – Identify where data is stored within your organization, who the data relates to (EU residents?), what type of data you’re storing (personally identifiable information, protected health information, etc.), who controls the datasets, and what internal policies apply to that data (was it collected from a business partner who restricts how it is used, or from the data subjects themselves pursuant to a former privacy policy).

Segmentation – The GDPR requires you to treat EU residents differently, so you may want to consider segregating their data from other data subjects, making it easier to manage.  However, it may not be immediately obvious that a user is an EU resident, so if you later acquire information that makes you aware (a home address or international phone number), you should have processes in place to move those users between databases, assuming you adopt this approach. Alternatively, it may be easier to treat all users as EU residents for management purposes, though this will restrict you from otherwise permissible uses with regard to non-EU residents.

Consent – Analyze how data is being collected by your organization and review the processes in place for obtaining and recording users’ consent. Is there a mechanism in place to identify whether a user is a resident of the EU before data is collected, so that consent can be obtained first? When obtaining consent, remember that the EU resident must take an affirmative action to indicate consent (check or uncheck a box), so incorporate those features into your consent form. Also, be sure that you are logging each time consent is granted to not only indicate that consent was given, but also under what circumstances (what the user authorized you to do with their data).

Document and Train – The GDPR imposes new restrictions on how data is processed within your organization, so you should ensure that your employees are trained on these new rules. Create and distribute written internal policies to demonstrate your commitment to compliance.

Accountability – Whether or not you formally designate someone as your organization’s Data Protection Officer (DPO), it’s advisable to appoint an individual within in your organization whose responsibilities include monitoring data governance and privacy, including GDPR compliance. This person can be a valuable point of contact should any employees have questions about the new GDPR practices.

So who should I call about putting GDPR policies in place?

The cybersecurity and data privacy professionals at M&R would be happy to assist you in setting up a GDPR program for your organization. Because these programs take time to construct and internalize within your company, we recommend that you begin your compliance project as soon as possible. Remember the deadline for compliance is May 25, 2018.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.