The Global Data Protection Regulation is set to shake up the way that companies process the personal data of EU citizens. GDPR will officially apply to all member states and companies (referred to as “data processors” or “data controllers”) processing EU citizen data on May 25, 2018. The change from the previous Data Protection Directive to the new GDPR requires adopting new policies and procedures! Here are some key changes to note:

In General- Broader Scope and Stiffer Penalties

  1. The reach of GDPR is much greater than the Data Protection Directive. The language is broad and meant to be sweeping.
  2. It applies to:
  • Data processors and data controllers who monitor and collect the data of EU citizens.
  • Most companies with an online presence operating in the EU or whose customers are EU citizens.
    • This is especially problematic for companies providing services online, because their business is likely to have captured an EU citizen’s data at some point or will in the future.

The penalties for companies who are found to be noncompliant with GDPR are hefty. They are tiered and range all the way up to the higher of 20 million Euros or 4% of annual global turnover. This is a staggering fine that companies will seek to avoid at all costs.

1. More Stringent Consent Requirements

GDPR will effectively ban “bundling” consent as well as the practice of pre-checking boxes for data subjects to un-check. Consent must be unambiguous and revocable. Consent must also be independently obtained for the processing of data for different reasons. This means that if a company wishes to obtain a subject’s data for various reasons consent must be obtained for each reason, and consent must not be implied.

Consent Checklist

Have you:

  • Put in place consent “click throughs” on your website?
  • Inserted language into the click through consents pertaining to children and whether you will be controlling or processing their data?
  • Have you unbundled your consent click throughs to form multiple check boxes for each discrete incident of data processing?

2. Stricter Notification Requirements

Notification of a data breach is required within 72 hours of the breach to the appropriate authorities and to the data subjects impacted. Strict new notification requirements would prevent future Equifax situations (in which a data breach occurred and data subjects were not notified until months after).

Notification Checklist

Have you:

  • Put in place specific procedures to report potential data breaches in an efficient and prompt manner?
  • Ensured that your company is taking a “privacy by design” approach to data processing and new projects?

3. Tougher Compliance and Accountability

Companies are now required to keep records of their data privacy efforts and of their Privacy Impact Assessments (“PIA”).

Compliance and Accountability Checklist

Have you:

  • Allocated budget for a Data Protection Officer?
  • Implemented measures to easily “erase” a data subject?
    • (Remember! Data erasure was established by Europe’s highest court in 2014)
  • Put in place methods of documenting Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new projects your company takes on to ensure early privacy risk detection?