News & Thought Leadership from Sulloway & Hollis
What is EU-GDPR
In this article we will discuss what EU-GDPR is and how it may impact every company that has a website and has customers or clients located in a country that is part of the European Union.
The European Union General Data Protection Regulation (“EU-GDPR”) replaces the Data Protection Directive 95/46/EC. It was approved in April of 2016 and is effective in May of this year. As stated on the GDPR portal, the purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”
The definition of personal data is broad in addition to what we may normally define as personal data, such as social security numbers, names and addresses; it includes photos, email addresses, bank details, posts on social media networking sites and your IP address.
Your company may think it does not have to worry about this because you are located in the United States, and you may be wrong. If your company processes or holds personal data for a person residing in a European Union country, your company may have to comply.
If you have decided that this regulation applies to your company the next question is what does your company need to do? For purposes of determining responsibilities it is important to distinguish data processors from data controllers. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
The conditions for consent have been strengthened, as companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in.”
Under the EU-GDPR, notice of a breach is mandatory and must be made within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
Each person covered has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
Each covered person has the right to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’ and have the right to transmit that data to another controller.
Data Protection Officers
Your company will be required to maintain internal records and appoint a Data Protection Officer (“DPO”) if one of your company’s core activities consists of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.
What does this all mean?
It is clear that your website must contain notices to all users as to what data you collect what you do with the collected data and how it is protected.
Consent forms need to be reviewed and, if necessary, updated to clearly reflect that the granting of consent is unambiguous and that the user understands the terms of the consent and that it can be withdrawn.