Think the General Data Protection Regulation (GDPR) doesn’t apply to U.S. companies? Think again, and quickly, as the massive data protection law – the biggest change to EU data privacy in more than 20 years – goes into effect on May 25.
Even if a U.S. company doesn’t have business operations in the EU, the GDPR applies if the company collects personal data on individuals in the EU. For example, a company selling products or services over the Internet, or tracking information about individuals in the EU to predict their online behavior, must comply with the GDPR.
If you’re rushing to comply, you’re not alone. A study by Vanson Bourne found that 52 percent of U.S. companies are subject to the GDPR – however, a report by Gartner estimates that more than 50 percent of companies subject to GDPR will not be in compliance with the law even by the end of 2018.
The risk, fines and penalties up to €20 million or 4 percent of annual revenue, whichever is higher.
What should U.S. companies do?
Start by self-certifying to the EU-U.S. Privacy Shield Framework.
When the GDPR went into effect on May 25th, it restricted the transfer of personal data of EU individuals to countries that have adequate data protection laws in place. The U.S. is not a country that meets this requirement.
The U.S. Department of Commerce and the European Commission therefore negotiated the EU-U.S. Privacy Shield Framework so participating U.S. companies are deemed as having adequate privacy protections and allowed to transfer personal data from the EU to the U.S. Although the Privacy Shield does not include all the legal requirements of the GDPR (for example, the GDPR requires an opt-in for consent, the Privacy Shield requires an opt-out), self-certifying provides critical protections for U.S. companies and an easier transition to complying with the GDPR.
What does the GDPR require?
U.S. companies must have a lawful basis in order to process personal data of EU individuals, including consent. For example, in the context of email marketers, consent requires a positive opt-in (no pre-checked boxes), proof of consent, a clear and specific statement of consent, it must be separate from other terms and conditions, and it must be granular (you need separate consent for each type of processing).
Data Subject Rights
U.S. companies must also be ready to respond to requests relating to EU data subject rights established under the GDPR. For example, EU individuals can request access to the personal data a U.S. company processes about them (right to access), request that the company correct inaccurate or incomplete data (right to rectification), and request that the company delete their personal data (right to be forgotten).
Data Breach Notification
U.S. companies must also meet the strict data breach notification requirements required by GDPR. Once a company is aware of a personal data breach, it must report it to the supervisory authority within 72 hours. If the breach is likely to result in a high risk to individuals’ rights, the company must also inform individuals without undue delay.
And, there’s more, 261 pages to be exact.
What are regulators saying about enforcement? One Data Protection Authority, Andrea Jelinek, indicated “[i]t’s not our first task to fine, it’s our first task to see if you’re compliant, and if you’re not compliant it will be a problem. There are no grace periods.”
Even if your company has worked toward GDPR compliance, given the complexity and lack of enforcement guidance, May 25th was just the beginning.
Lisa McGrath is a Boise attorney who focuses on solving legal problems related to social media, the Internet, marketing, advertising, E-commerce, mobile apps, privacy, and technology. She speaks frequently on social media law as it relates to the financial, healthcare, government, advertising, and other private and public sectors. McGrath can be reached at firstname.lastname@example.org.