The impending General Data Protection Regulation (GDPR) will go live on May 25, 2018, protecting the personal data of European Union (EU) residents. By now you know, or at least you’ve heard, that the GDPR will have global effects and that its daunting penalties will apply to companies that handle any personal data, regardless of whether those businesses are actually located in the EU. But you may still be fuzzy on the details — what exactly is the GDPR? Who does it apply to? How does it work, and what does it require? Why does it exist at all? What specific rights does it provide for, and what happens if a company breaches its duties? Most importantly, what should you be doing today to prepare?
If you’ve put off understanding the GDPR or getting your business up to speed on compliance readiness, you’re not alone. Consulting firm Censuswide reported that about a third of U.S. organizations that will be subject to the GDPR don’t expect to be fully prepared by the effective date. Research and advisory company Gartner is even less hopeful, estimating that more than half of companies that are subject to the law will not be in compliance in 2018.
Your business doesn’t have to be one of the underprepared. Read on for an essential primer on the GDPR and a preparation checklist.
What Is the GDPR?
The GDPR establishes “rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data” to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” Before the GDPR, European countries have had a hodgepodge of data privacy regulations. The EU adopted the GDPR in April 2016 to harmonize and standardize these various laws, creating a single data privacy rule for all the participating nations.
In short, then, the GDPR provides several broad protections for the personal data of European residents, including the right to access one’s data and the right to have one’s data erased. It requires that companies justify their possession of personal data and carefully control what they do with it. After a two-year transition period, the GDPR will go into effect — and be fully enforceable — starting on May 25, 2018.
Unfortunately, with the time crunch to understand and comply with the GDPR, some discussions have been loose with their language and therefore somewhat misleading. Before we move into the details of how the GDPR works, let’s clarify a few details that are commonly misunderstood.
THE GDPR IS BROADER THAN THE EU IN THAT IT APPLIES TO BUSINESSES ANYWHERE THAT POSSESS OR PROCESS THE PERSONAL DATA OF RESIDENTS OF THE PARTICIPATING NATIONS.
First, while the GDPR is loosely referred to as an EU regulation — which it is — it is not limited to the EU in two distinct senses. For one, the GDPR has been adopted by and applies to not only the 28 member nations of the EU but also Iceland, Norway and Liechtenstein, as part of the European Economic Area (EEA). Note that, for now at least, this means that residents of the U.K. will also be covered under the GDPR even after departing the EU, unless and until the U.K. gives notice that it is leaving the EEA. Switzerland, on the other hand, is in neither the EU nor the EEA. Additionally, as already mentioned, the GDPR is broader than the EU in that it applies to businesses anywhere that possess or process the personal data of residents of the participating nations. We’ll discuss what this means more in the next section.
Second, note that the GDPR defines “personal data” quite broadly; an American concept of privacy likely doesn’t cover everything that the GDPR protects. “Personal data” includes “any information relating to an identified or identifiable natural person.” Of course, that definition encompasses a person’s name, any identification numbers, birth date and location information such as physical addresses or IP addresses. But it goes further, also including online identifiers, demographic information and “cultural or social identity” information. Avoid the compliance trap of redacting names and expecting that to suffice under the GDPR. Anything that can be used to identify a specific person — even if it takes a lot of work to figure out — is personal data protected by the GDPR.
Third, you’ve probably noticed that we’ve referred to the personal data of European residents, not citizens. The GDPR actually protects the “personal data of data subjects who are in the Union,” which applies not just to citizens or residents but also to visitors and any natural person who can be found within the participating nations. For simplicity, we’ll refer to data subjects as residents rather than citizens, but bear in mind that the category is even broader than that.
How Does the GDPR Extend to U.S. Companies?
Under Article 3 of the GDPR, companies that have no physical ties to Europe are still bound by the GDPR if they “process” the personal data of protected residents in relation to either “the offering of goods or services” or the monitoring of data subjects’ behavior. What exactly does “processing” mean, though?
Again, this definition is broader than you’d expect from an American perspective. “Processing” under the GDPR includes “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.” That definition clearly includes collection, recording, structuring, consultation and use of data. But processing isn’t just an active verb: the GDPR sets out further examples of processing that extend to storage, retrieval, restriction and erasure or destruction of data. Finally, processing also includes “disclosure by transmission, dissemination or otherwise making available.”
In other words, if your company has offered goods or services to even one customer in a participating European country and has thereby obtained and done practically anything with that customer’s personal data, you must comply with the GDPR. If you don’t know whether you have such a customer, the safe bet is to analyze and track the data that you do possess to identify any European customers. Here’s the good news: if it turns out that you are subject to the GDPR, you’ll need to identify that personal data and strictly control what you do with it. Just getting started and doing the data audit to determine whether you are subject to the GDPR will go a long way toward bringing you into compliance by highlighting the data that you must protect.
So, What Do We Have to Do Under the GDPR?
Your obligations under the GDPR depend substantially on what you do with personal data: are you a data controller or a data processor? In Article 4, the GDPR defines a data controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” A data processor, on the other hand, is a similar body that only “processes personal data on behalf of the controller.”
If you make decisions about data, such as determining why you have data or what will be done with it, you are a data controller. If you don’t make those decisions but instead only execute on someone else’s orders, you are a data processor. Note that you cannot simultaneously be both a controller and a processor of the same data, though you may be a controller as to some data — perhaps the personal data of your employees — while being a processor as to other data. Under Article 28, if a processor also “determin[es] the purposes and means of processing, the processor shall be considered to be a controller” for that data.
IN THE EVENT OF A DATA SECURITY BREACH THAT IS LIKELY TO COMPROMISE THE PRIVACY RIGHTS OF DATA SUBJECTS, YOU MUST NOTIFY THE APPLICABLE SUPERVISORY AUTHORITY WITHIN 72 HOURS.
As a data controller, you must keep records of all the personal data you possess, be able to justify how you obtained that data and by what authority you have it, keep personal data secure and respond to requests by individual data subjects. Generally speaking, a data controller must be able to demonstrate that it obtained consent from each data subject for the possession and processing of that subject’s personal data. Consent must be affirmatively stated — it must be opt-in rather than opt-out — and obtained with clear, plain language. Controllers can only use processors that guarantee appropriate protection of personal data.
As a data processor, you must maintain detailed records of all your processing activities. Additionally, as a processor, Article 28 prohibits you from reassigning any processing to another processor without the permission of the data controller. Don’t fall for the trap of thinking you can avoid liability by outsourcing processing: if a processor does reassign processing to another company and that company fails to protect the data, the original processor remains liable for the breach.
In the event of a data security breach that is likely to compromise the privacy rights of data subjects, you must notify the applicable supervisory authority within 72 hours.
Public organizations and private organizations that regularly monitor data subjects must appoint data protection officers (DPOs). The DPO is responsible for monitoring GDPR compliance and advising companies about their requirements. While only some companies are required to appoint a DPO, any company can choose to create such a position or retain the services of a dedicated compliance officer.
Under the GDPR, data subjects also have specific rights that data controllers must comply with. First, subjects must have access to their personal data. Controllers must be able to advise subjects whether they have any data, where that data is and why it is being possessed or processed. Upon request, controllers must provide electronic copies of that data, free of charge, to data subjects. Data subjects also have the right to correct their information. Finally, data subjects have a limited right to data erasure, formerly known as the “right to be forgotten.”
Now that you know what you’ll have to do to comply with the GDPR, let’s turn to what this means for ediscovery.
How the GDPR Will Affect Ediscovery
Up to this point, we’ve said nothing about traditional principles of U.S. discovery, such as retaining electronically stored information (ESI) in anticipation of litigation or producing relevant ESI to an opponent. That’s because the GDPR does not contemplate these types of uses or establish any exceptions for them. Therefore, it is essentially in conflict with U.S. litigants’ discovery obligations.
To understand why this is and what it means for discovery, let’s step back a moment to consider the key differences between European and U.S. expectations regarding information and privacy.
In Europe, the right to privacy is delineated as a fundamental right under Article 8 of the EU Charter of Fundamental Rights. Prior to the GDPR, that right and the means to protect it have been individually defined by each member country pursuant to the Data Protection Directive, which set a baseline standard. In the U.S., our Constitution protects free speech, but it recognizes no specific right to privacy. Americans expect (and receive) far less in terms of personal data protection and privacy than their European counterparts.
What the U.S. does protect is the right of litigants to receive evidence that is relevant to their claims and defenses in a court case, wherever that information may be located. European nations have no corollary, as there is an extremely limited right to discovery in most European courts.
How can businesses reconcile these conflicting obligations, then, when the vast majority of discoverable documents, emails and other ESI will contain personally identifiable information that is protected under the GDPR? The immediate answer may be that they cannot comply perfectly with both at once. Remember that under the GDPR’s broad definition of processing, every stage of U.S. discovery, from preservation and collection to analysis, review and production, is considered data processing that must be safeguarded and limited.
For example, a key component of discovery is not just identifying discoverable ESI but actually producing it to an opponent. While the GDPR does provide for cross-border data transfers, personal data can only be transferred to countries whose protections are deemed to be adequate — and the U.S. is not one of those countries. The Privacy Shield program does allow companies that demonstrate their compliance with data protection requirements to transfer data to U.S. locations, but those provisions don’t extend to third-party transfers. Companies therefore can’t transfer discoverable data to a U.S. company under the GDPR and can’t use the Privacy Shield program to transfer that data to opposing parties in litigation.
While this conflict is being resolved, it’s worth considering the penalties for violating the GDPR so you can make an informed decision about how to balance your duties and responsibilities.
Compliance and Penalties
One reason that everyone is talking about the GDPR is that its potential penalties are draconian. For infringement of the GDPR’s provisions regarding data transfer or data subjects’ rights, for example, companies — both data controllers and data processors — can be fined 20 million euros or 4 percent of worldwide annual corporate turnover, whichever is greater.
Let’s look at a real-world example to get a sense of what those penalties mean. Hilton was fined $700,000 in late 2017 by the New York Attorney General for two separate hacking incidents that compromised the financial information of 350,000 customers. Had that security breach — and Hilton’s delayed, lackadaisical response to it — occurred under the GDPR’s framework, the punishment would have more closely reflected the individual harm. Under the GDPR, Hilton’s fine would be based on its annual revenue: $10.5 billion in 2014, the year before the breach occurred. A 4 percent fine would add up to around $420 million. A penalty of that magnitude should get every business’s attention.
What do you do when you can’t comply perfectly with conflicting laws and you can’t afford to violate either one? Don’t fall into the trap of not acting because you believe that any effort you make is doomed to fail. Instead, design a thorough compliance strategy that will demonstrate your good-faith effort to respect and protect data privacy despite your cross-border discovery obligations. Devise recordkeeping methods that will comply with your GDPR obligations, set up access points for data subjects to obtain, correct or request erasure of their data, vet your data processors and processes thoroughly, beef up your security while creating a breach response plan and train your staff in all of these new requirements.
The good news is that the GDPR’s Data Protection Authorities (DPAs) are not likely to be focused on data processing or transfer for discovery, at least initially. DPAs will instead probably target direct violations such as the sale of personal data, data mining and security breaches, reactively responding to complaints. Demonstrating a reasonable good-faith effort to comply with the GDPR is likely to go a long way toward avoiding penalties.
How? In terms of discovery obligations, be mindful of how proportionality limits can minimize your need to produce personal data. Plan a phased approach to discovery where personal data can remain secure until and unless it is required. Additionally, look at whether you can anonymize data — so that it cannot be restored via reverse engineering — to resolve personal data privacy concerns.
The best way to run afoul of the GDPR will be to ignore it, remaining willfully ignorant and blatantly disregarding its mandates. Let’s turn to the concrete steps you can take to instead thoughtfully prepare for the impending regulation.
Reputable Organizations for GDPR Guidance
The International Association of Privacy Professionals (IAPP) has been preparing for and helping to shape the GDPR for years.
The U.K.’s Information Commissioner Office (ICO) has produced a “living document” guide to the GDPR. The U.K. legal system has more in common with the U.S. model than most European countries, making its guidance particularly helpful for discovery.
The EU itself not only offers guidance and interpretation of the GDPR but also the regulation’s full text — always the best place to start any research.
How to Prepare for the GDPR
- Appoint a DPO and/or a data ombudsman. If your company regularly conducts large-scale monitoring of data subjects, you are probably required to hire a DPO under the GDPR. Even if the GDPR doesn’t mandate a DPO’s appointment, having one knowledgeable person dedicated to managing your GDPR compliance and information security is always a good practice. Depending on how many customers worldwide you collect and process personal data for, and consequently how many data access requests you can expect to receive, you may also benefit from hiring or assigning a consumer data ombudsman. This person can serve as the single point of contact for customer data access, correction and erasure requests as well as complaints.
- Conduct an information audit. To comply with the GDPR — or even know whether it applies to your business — you must have an accurate, up-to-date map of the data you have and where it resides. What personal data do you collect? Where do you get it, and who else has access to it? What do you do with it? How long do you (or must you) keep that information? Arrange to have a complete data audit of your organization, and keep it up to date. Use this audit to purge outdated information as well.
- Develop a data management plan and ensure that you have a system to record your processing activities. Once you know what data you have, you must develop a system to track your data from creation to destruction. Remember that the GDPR requires data collectors and processors to document their processing activities, which include practically every action related to data. Also be sure to track your legal basis for possessing or processing personal data. The details of what data you are processing, how you process it and why must be written in your contracts. Don’t fall for the compliance trap of relying on your pre-GDPR contracts without reviewing them to ensure they include this information.
- Create a response plan for data subject requests. With the enhanced rights the GDPR provides for data subjects, prepare now for how you will respond to those requests. Data subjects have the right to access their information, correct mistakes in their data and request that their data be “forgotten” or erased. Through your data map, you should know what personal data you have and where it is. Develop a plan for providing that data on request, in a commonly used electronic format that customers will be able to access. Note that you must provide personal data at no charge within one month of the subject’s request. Additionally, create a written policy governing data deletion and be sure that you know who will make decisions about data erasure.
- Review and revise your current privacy notices, statements and policies. Your privacy notice, consent form and contracts should all be reviewed and revised as needed to ensure compliance with the GDPR. You should disclose in your privacy notice the types of data you may collect, how you will share and use that data and how long you will retain personal data. You must also explain how a customer can make access or erasure requests. Also be sure to review your method for obtaining consent for data collection and use. Remember that under the GDPR, consent must be freely given, informed based on clear and plain language and entered into purposely, not inferred from a failure to act.
- Create a security breach detection and response plan. Of course, the purpose of the GDPR — and all sound information security practices — is to avoid security breaches in the first place. That said, the best plans can fail, and the GDPR requires that you have procedures in place to promptly detect and report breaches. Determine who you will need to report security failures to and be prepared to act quickly: companies will have at most 72 hours to report breaches that threaten personal data security, and fines for failing to timely report are assessed on top of fines for allowing the breach to occur at all.
- Obtain ISO 27001 certification. While ISO 27001 certification is not a complete response to the GDPR’s requirements, it provides a straightforward starting point, demonstrates your good-faith effort to comply with cross-border data transfer and processing mandates and serves as an international benchmark for data security.
If you’ve put off learning about and preparing for the GDPR’s launch on May 25, 2018, you’re running out of time. Companies worldwide may be subject to its data privacy requirements and staggering fines for noncompliance. The worst thing you could do is hide your head in the sand — but taking a few reasonable steps to begin assessing your data and your information processing policies can quickly advance you to a good-faith effort and help you avoid compliance traps.
- Full text of the GDPR
- Home page of the GDPR
- A Third of US Businesses Do Not Feel Prepared for GDPR Deadline
- Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation
- Preparing for GDPR
- Don’t Give New Data Laws the Brush Off: The GDPR Still Applies to You
- New European Union Financial Rules to Give U.S. Consumers Protection as Well