The General Data Protection Regulation (the “GDPR”), promulgated by the European Commission, was adopted in April 2016 and became effective in May 2018. Rarely mentioned with positivity in the past two years, the GDPR standardizes data protection laws across the European Union and applies to companies located outside of the EU that offer goods or services or are monitoring the behavior of persons inside the EU. The Benefits of the GDPR for Companies
Not only does the GDPR call for the adherence to seven fundamental privacy principals (lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability), but it also calls for increased technical measures for businesses to update and strengthen their data protection practices. Instead of mindlessly gathering any and all data, businesses should gather more purposeful data. Data mapping and inventory exercises challenge businesses to fully understand the data the business holds and how it fits into the broader organization. For many businesses, this is the first time the business will actually take the time to truly know and understand the data it holds. This data knowledge is useful in particular for mapping data strategies going forward. By raising awareness of the importance of well-maintained data, the GDPR has allowed organizations to make more informed decisions around strategic business partners and future avenues of growth.
Data Processing Inventory: Article 30 requires controllers and processors to create and maintain a formal, written record of its processing activities subject one exception: when the organization has less than 250 employees and the processing is not likely to result in a risk for the rights and freedoms of data subjects, is not occasional, or is not of special categories of data. The records maintained by the processor must include the personal data processing activities done on behalf of a controller and to provide the controller a copy of the report upon request. While not a granular report of each data element in a business’s repository, it provides a high-level snapshot of how the business processes personal data.
Data Protection Impact Assessments (DPIA): Under Article 35, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, the controller should perform a DPIA. Practically speaking, the DPIA is a risk assessment exercise meant to identify and minimize risks relating to the controller’s personal data processing activities.
Privacy Notices: Businesses are also required to publicly post a privacy notice detailing the source of the personal data, the legal basis for processing the personal data, the period for which the personal data will be retained, and the third-party recipients of the data. Further, the privacy notice must be provided in a manner that is concise, transparent, intelligible and easily accessible using clear and plain language.
Data Processing Agreements: Article 28 provides that controllers may only engage with a processor who provides sufficient guarantees of compliance with the obligations of the GDPR. Specifically, Article 28(3) of the GDPR requires a contractual agreement between controllers and processors regarding the parties’ roles and the processor’s obligations to comply with certain provisions in the GDPR.
While these measures, and the GDPR in general, certainly increase the costs of doing business, it can be a competitive advantage for companies that commit to real compliance. Not only can a business become a preferred vendor by showing its commitment to data protection, but also it is an opportunity to build customer loyalty by being transparent about how they use personal data.
Leveraging GDPR for Trends in the US
The GDPR kicked off this new wave of data privacy and data protection laws. Particularly in the US, which lacks an omnibus federal data protection law, many States have proposed their own data protection laws. Most recently, this was seen with the passage of the California Consumer Privacy Act (the “CCPA”) that was heavily influenced by the GDPR. Despite the COVID-19 pandemic, the California Attorney General has reiterated that the enforcement date of the CCPA is still July 1, 2020. The California Attorney General is currently working on the third draft of his CCPA regulations before a final draft is due by July 1.
For companies that have never undergone data protection compliance exercises, it can be daunting but we can leverage our existing data protection knowledge to quickly get in front of these issues as they come up in the day to day business operations.
Dated April 8, 2020
Written by Stan Sater and Jeff Bekiares
* * *