Scenario – A multi-national manufacturing business has its headquarters in the United States but also has substantial manufacturing and research and development facilities in Europe. The US-based general counsel wants to be prepared to comply with the EU General Data Protection Regulations (“GDPR”).
The new GDPR will come into force throughout the European Union on May 25, 2018. The GDPR will replace existing data protection laws throughout Europe and introduce significant changes and additional requirements that will have a wide-ranging impact on businesses around the world, irrespective of where they operate.
The GDPR Changes That Will Affect Your Business:
Some key changes and additional requirements introduced by the GDPR are:
1. Worldwide application of European data protection law. In a significant departure from the current requirements, in addition to businesses that are established in the European Union, organizations that are located outside the European Union that process personal data in relation to the offer of goods or services to individuals within the European Union, or as a result of monitoring individuals within the European Union, will have to comply with European data protection law. Non-EU-based businesses will need to consider whether they will be subject to the new rules and, if so, how they will comply.
2. Tougher sanctions for non-compliance. The maximum fine for a breach of European data protection law will be substantially increased to 4 percent of an enterprise’s worldwide turnover or €20 million per infringement, whichever is higher.
3. A new data breach notification obligation. Organizations will now have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to them.
4. New data privacy governance, data mapping and impact assessment requirements. Many organizations will now need to appoint a data protection officer to be responsible for implementing and monitoring that organization’s compliance with the GDPR and to carry out assessments of an organization’s data processing in certain circumstances. Organizations will now also be required to map their processing of EU personal data and undertake data protection impact assessments for higher-risk processing.
5. A requirement to implement “privacy by design.” Businesses must now take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when EU personal data is being processed.
6. Strengthening of individuals’ rights to personal data. Individuals in the European Union will have these rights: (i) to have their personal data removed from systems or online content (the “right to be forgotten”), (ii) to not be subjected to automated data profiling (where this would produce a legal effect) and (iii) to be given a copy of the personal data relating to them in a commonly used format and to have that information transmitted to another party (the “right to data portability”). Organizations must determine how they will enable individuals to exercise these rights.
Preparing for the GDPR:
If a preliminary assessment determines that your business will have to comply with the GDPR, you should consider taking these steps:
- Inform your leadership and formulate a plan. Senior management should be made aware of the changes to data protection law and how it will affect your business. Senior management should designate the individuals who will formulate a plan for implementing the GDPR requirements and who will educate the wider workforce on its operational impact.
- Map your personal data. A detailed investigation should be conducted into and a record created of the personal data your business is collecting in relation to the offer of goods or services to individuals in the European Union, the purposes for which it is being processed, the ways it was obtained and the parties that it is being shared with.
- Examine the impact. The information gathered from the personal data mapping exercise should be used to assess which parts of your business and which data processing activities must comply with the GDPR.
- Address the risks. Data protection impact assessments should be conducted to identify and minimize the risks associated with the processing of personal data by your business, particularly where there are high risks to the rights and freedoms of the individuals concerned by the activities that are being or are going to be carried out.
- Update your data governance. Policies, procedures and other governance controls within your business should be updated to detail how your organization will practically comply with the new requirements under the GDPR. Employees should receive training on and should be regularly updated about this.
- Review your supply chain contracts. The contracts with the service providers and other parties that your business shares personal data with should be reviewed and, where necessary, renegotiated to ensure that your organization is appropriately supervising the manner in which they process personal data and are complying with their obligations under the GDPR.
- Assess your international transfers. Assess the manner in which you currently carry out any international transfers of personal data and whether any mechanisms for carrying out these transfers within your organization or to third parties need to be updated to comply with the European data protection requirements.
Source: Mayer Brown – Oliver Yaros, Mark A. Prinsley, Charles-Albert Helleputte, Dr. Guido Zeppenfeld, Rebecca S. Eisner, Lei Shen, Rajesh De, David A. Simon, Kendall C. Burman and Gabriela Kennedy