If your business offers goods or services to consumers in the European Union (or tracks information on EU consumers), you must become familiar with the acronym “GDPR.” The “General Data Protection Regulation” goes into effect May 25, 2018. And even if you are confident that your business complies with state or U.S. data-protection principles, that confidence may not be warranted as you face the GDPR.
Your business may already take care to protect information such as a customer’s Social Security number, credit card number, health data, and other personally identifiable information. But the GDPR broadens the definition of personal data that holders must protect. Article 4 of the GDPR defines “personal data” to include “any information relating to an identified or identifiable natural person (‘data subject’)” relating to the “physiological, genetic, mental, economic, cultural or social identity of that natural person.” Information about a person’s race or ethnicity, religious affiliation (or non-affiliation), political leanings, or sexual orientation would fall within this definition.
How does the GDPR impose obligations on American businesses in the first place? Its drafters intend the regulation to apply to anyone who processes the personal data of an EU resident—even if the processing is not done in the EU. Whether that intended reach can be enforced against an American business will be the subject of litigation, both here and in the EU. But as of now, the EU intends to subject data processors to fines of the greater of 20 million euros, or up to four percent of the processor’s annual global revenue. Even if your company is one of the forward-thinking ones, with cyber liability insurance in place, whether such policies cover fines imposed for a breach of the GDPR is something else to be litigated in coming years.
Rita Heimes, who holds the Certified Information Privacy Professional (CIPP) designation under both European and U.S. law (as well as the CIPM credential, for those who manage privacy programs), describes a “core value” of the GDPR: “Natural persons should have control over their own personal data.” She contrasts this with the U.S.-centric view that data, once collected, belongs to the collector. “This means when customers share their data with us it is not ours, but rather theirs, at least as the European Union sees it and as reflected in the GDPR.”
Mike Mandato, of Calyx IT in Cleveland, points out that businesses must carry this mindset through the entire life cycle of data, including data that may not pertain to active transactions—data businesses that businesses might think of as “on file,” but what information technology professionals call “at rest” data. The GDPR gives EU consumers the right to request that their data be removed from a data controller’s systems. This may require businesses to rethink their backup strategy, email and record retention policies, and any other in-house systems that hold “at rest” data. Mandato views this as a mixed blessing: “It is a good opportunity to fine tune security measures and data integrity within a business. But it may present added expense deploying processes and policies to examine data on a periodic basis to maintain compliance.”
What all this means is that companies of all sizes must make a conscious decision whether they want to do business (or continue to do business) with EU residents. They must weigh the potential costs of GDPR-compliance against the amount of business they hope to get from EU consumers. If the potential return is small or non-existent, it may be prudent to forgo that business. If, after weighing the benefits, you decide to retain or pursue business from EU residents, consult your technology vendor, your attorney, and your insurance agent to help you mitigate the potential costs that could follow non-compliance.
For more information, or questions on the topic, please contact Barry Miller at firstname.lastname@example.org or Curt Graham at email@example.com. Both Barry and Curt focus their practices on Data Management & Cyber Security Law in MRR’s Lexington office.