The General Data Protection
Regulation (the “GDPR”), promulgated by the European
Commission, was adopted in April 2016 and became effective in May 2018. Rarely
mentioned with positivity in the past two years, the GDPR standardizes data
protection laws across the European Union and applies to companies located outside
of the EU that offer goods or services or are monitoring the behavior of
persons inside the EU.
The Benefits of the GDPR
Not only does the GDPR call for
the adherence to seven fundamental privacy principals (lawfulness, fairness,
and transparency; purpose limitation; data minimization; accuracy; storage
limitation; integrity and confidentiality; and accountability), but it also
calls for increased technical measures for businesses to update and strengthen
their data protection practices. Instead of mindlessly gathering any and all
data, businesses should gather more purposeful data. Data mapping and inventory
exercises challenge businesses to fully understand the data the business holds
and how it fits into the broader organization. For many businesses, this is the
first time the business will actually take the time to truly know and
understand the data it holds. This data knowledge is useful in particular for
mapping data strategies going forward. By raising awareness of the importance
of well-maintained data, the GDPR has allowed organizations to make more
informed decisions around strategic business partners and future avenues of
Data Processing Inventory: Article 30 requires controllers and processors to create and maintain a formal, written record of its processing activities subject one exception: when the organization has less than 250 employees and the processing is not likely to result in a risk for the rights and freedoms of data subjects, is not occasional, or is not of special categories of data. The records maintained by the processor must include the personal data processing activities done on behalf of a controller and to provide the controller a copy of the report upon request. While not a granular report of each data element in a business’s repository, it provides a high-level snapshot of how the business processes personal data.
Data Protection Impact Assessments (DPIA): Under Article 35, if processing personal information is likely to result in a high risk to data subjects’ rights and freedoms, the controller should perform a DPIA. Practically speaking, the DPIA is a risk assessment exercise meant to identify and minimize risks relating to the controller’s personal data processing activities.
Privacy Notices: Businesses are also required to publicly post a privacy notice detailing the source of the personal data, the legal basis for processing the personal data, the period for which the personal data will be retained, and the third-party recipients of the data. Further, the privacy notice must be provided in a manner that is concise, transparent, intelligible and easily accessible using clear and plain language.
Data Processing Agreements: Article 28 provides that controllers may only engage with a processor who provides sufficient guarantees of compliance with the obligations of the GDPR. Specifically, Article 28(3) of the GDPR requires a contractual agreement between controllers and processors regarding the parties’ roles and the processor’s obligations to comply with certain provisions in the GDPR.
While these measures, and the
GDPR in general, certainly increase the costs of doing business, it can be a
competitive advantage for companies that commit to real compliance. Not only can
a business become a preferred vendor by showing its commitment to data
protection, but also it is an opportunity to build customer loyalty by being
transparent about how they use personal data.
Leveraging GDPR for
Trends in the US
The GDPR kicked off this new
wave of data privacy and data protection laws. Particularly in the US, which
lacks an omnibus federal data protection law, many States have proposed their own data
protection laws. Most recently, this was seen with the passage of the
California Consumer Privacy Act (the “CCPA”) that was heavily
influenced by the GDPR. Despite the COVID-19 pandemic, the California
Attorney General has reiterated that the enforcement date of the CCPA is still
July 1, 2020. The California Attorney General is currently working on the
third draft of his CCPA regulations before a final draft is due by July 1.
For companies that have never
undergone data protection compliance exercises, it can be daunting but we can
leverage our existing data protection knowledge to quickly get in front of
these issues as they come up in the day to day business operations.
Dated April 8, 2020
Written by Stan Sater and Jeff Bekiares
* * *