In this article, we will discuss the EU-GDPR and how it may impact every company that has a website and has customer or clients located in a country that is part of the European Union.
What is EU-GDPR?
The European Union General Data Protection Regulation (“EU-GDPR”) replaces the Data Protection Directive 95/46/EC. It was approved in April of 2016 and is effective in May of this year. As stated on the GDPR portal the purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The definition of personal data is broad in addition to what we may normally define as personal data, such as social security numbers, names and addresses it includes photos, email addresses, bank details, posts on social media networking sites, and your IP address.
Your company may think it does not have to worry about this because you are located in the United States, and you may be wrong. If your company processes or holds personal data for a person residing in a European Union country, your company will have to comply.
If you have decided that this regulation applies to your company the next question is what does your company need to do? For purposes of determining responsibilities it is important to distinguish data processors for date controllers. A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Conditions for Consent
The conditions for consent have been strengthened, as companies will no longer be able to use long illegible terms and conditions full of legalese. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in."
Under the EU-GDPR, notice of a breach is mandatory and must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
Each person covered has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
Each covered person has the right to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
Data Protection Officers
Your company will be required to maintain internal records and appoint a Data Protection Officer (“DPO”) if one of your company’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.
What Does This All Mean?
It is clear that your website must contain notices to all users as to what data you collect, what you do with the collected data, and how is it protected.
Finally, an internal discussion should occur to make sure that the relevant people in your organization understand what EU-DGPR is and what is needed to be in compliance.