You should read this article. You should take it seriously. I’ll admit it — we lawyers are risk averse. We tend to prepare clients for the terrors in the night that may never come. This article isn’t one of those. Read this carefully and take the E.U.’s new General Data Protection Regulation seriously.
The GDPR is intended to strengthen European data protection laws. It replaces the E.U. Data Protection Directive. The GDPR gives individual citizens the ability to control the collection and use of their personal and personally identifiable information. More importantly for readers of Practical Ecommerce, the GDPR regulates not only European businesses, but also businesses outside of the E.U. that collect information from European citizens.
General Data Protection Regulation
The GDPR applies to the processing of personal and personally identifiable information, even, again, if the party collecting, controlling, or processing that information is outside of the European Union. This means that any company that sells or markets products or services to citizens of the European Union is subject to the GDPR regardless of whether the company has servers located in the European Union, offices in the European Union, or contracts with data processors within the European Union.
Companies that fail to comply with the GDPR can face warnings, periodic audits, and fines of up to €20,000,000 or up to 4 percent of the company’s worldwide net sales. These serious penalties, combined with more serious enforcement mechanisms, makes clear that businesses should take the GDPR seriously.
… any company that sells or markets products or services to citizens of the European Union is subject to the GDPR regardless of whether the company has servers located in the European Union, offices in the European Union, or contracts with data processors within the European Union.
Another large component of the GDPR is the codification of “privacy by design.” Privacy by design is an engineering approach that requires that privacy concerns be addressed in the software engineering process.
Privacy by design takes human values into account in designing software, and Article 25 of the GDPR now requires that data protection be designed into the creation of business processes, software, and services. Companies must implement technical and organizational measures to ensure that (a) data is only collected for the specific purposes for which it is used, (b) data can be collated to comply with access requests, and (c) data be collected and maintained in a way that allows opt-out, suppression, and portability.
Portability
The GDPR also strengthens the rights of E.U. citizens. Article 18 of the GDPR provides E.U. citizens with a right to data portability. This allows E.U. citizens to transfer their personal and personally identifiable information from one data controller to another, which means that data must be maintained, as mentioned above, in a portable form.
This right primarily applies when an E.U. citizen wants to transfer to another service provider — the current service provider must be able to port that data to a new provider. The GDPR also allows an E.U. citizen to obtain any personal or personally identifiable information that has been collected and is being processed “in a structured, commonly used, and machine-readable format.”
Under the GDPR, E.U. citizens now also have a strengthened right to be forgotten, titled a “right to erasure.” Upon request, an E.U. citizen has the right to have his or her personal data deleted without “undue delay” if the data is no longer necessary, the individual has withdrawn consent, or the data has been unlawfully obtained or processed. Where an E.U. citizen has made a request for deletion and the data in question has been made public, the data controller must take reasonable steps to inform all data processors that a request for deletion has been made.
This means that, where a search engine provider, such as Google, has archived or republished data that is the subject of a deletion request, the business that received the deletion request must notify the search engine provider that the request has been made to delete the data in question. This could have wide-ranging effects because U.S. businesses could now be held responsible for having links removed from search engines upon receipt of a request for deletion.
Data Protection Officer
The GDPR also requires that companies whose “core activities consist of [data] processing operations” must appoint a data protection officer if “special categories” of data are collected. These special categories include genetic data, biometric data, political opinions, religious beliefs, philosophical beliefs, race, gender, or national origin.
Regardless of whether this information is collected from users, a data protection officer must be appointed if this information is collected for human resources purposes. Data protection officers must monitor compliance with the GDPR and serve as a contact point for data protection authorities.
Finally, the GDPR provides new data breach compliance requirements. Under the new Article 31, data controllers must notify data protection authorities within 72 hours of learning of a data breach. The notification in question must include a description of the categories and approximate number of people affected, the nature of the breach, the potential consequences of the breach, and the actions taken to address the breach. Data protection officers must also notify individual citizens of the E.U. when the “personal data breach is likely to result in a high risk [to] the rights and freedoms of individuals….”
Thus, when a U.S. company suffers a data breach, it must comply with these new requirements of the GDPR.
Preparation
The GDPR is voluminous. This article is far too short to cover all of its changes. If your ecommerce company collects personal or personally identifiable information from users or employees in the European Union, however, you should begin to become familiar with its provisions and seek legal counsel to ensure compliance. Though the GDPR will not go into effect until May 2018, it will take time to prepare for its wide-ranging effects.