2. The European Union (“EU”) and the United States
have very different regimens for protecting person-
al information. The United States uses a patchwork
of privacy laws including the Health Insurance Por-
tability and Accountability Act (“HIPAA”) for protect-
ed health information, Financial Credit Reporting Act
(“FCRA”) for credit reports, and
many more. In contrast, the EU
considers privacy a fundamental
right and uses the Data Protection
Directive (“Directive”) to regulate
the processing of personal data
across Europe. True to character,
European regulators recently ap-
proved a comprehensive privacy
regulation which will take effect
in 2018. The regulation applies
to all foreign companies process-
ing EU personal data so American
and Canadian companies should
make certain their compliance
programs are EU relevant.
GDPR Replaces EU Directive
In the works since 2012,
the General Data Protection
Regulation (“GDPR”) was adopted on April 14, 2016,
and is scheduled to go into force on May 25, 2018.
GDPR replaces and expands the Data Protection
Directive by centralizing powers that were previously
reserved to EU member states.1
Under the Directive,
EU member states are allowed to pass laws to
supplement the Directive, resulting in many states
having different personal data laws. GDPR aims to
harmonize Europe’s privacy laws and also restricts
the ability of member states to pass their own data
protection laws in the future.
GDPR Applies to Many
American and Canadian
Companies
Within the EU, businesses that
collect individuals’ personal data
are called “data controllers” and
any use of personal data is called
“processing.” Data controllers
may use “data processors” such
as cloud service providers or bill-
ing companies to handle personal
data. The individuals about whom
data is collected are called “data
subjects.” Historically, the Direc-
tive only applied to controllers of
personal data. However, the GD-
PR’s expanded jurisdiction applies
to the processing of personal data
of all EU residents, even if the controller or processer
is located outside of the EU.2
This means that Ameri-
can and Canadian companies that sell goods and ser-
vices to EU residents will be subject to the GDPR.
American
and Canadian
companies that
sell goods and
services to EU
residents will be
subject to the
GDPR.
EU DATA PROTECTION BASICS
“
”
3. Below are some key areas for organizations to con-
sider when aligning their compliance environment to
the GDPR requirements:
New Obligations in the Data Ecosystem
Companies will be required to obtain unambiguous
consent when collecting EU personal data. For web-
sites, this will require the checking of a box or other
technical configurations to clearly indicate the data
subject’s acceptance of the terms of processing.
Companies must also build in new personal data pro-
tections in the form of identity-masking techniques
such as “pseudonymization,” which makes individ-
ual identification more difficult. Employees should
be trained in these practices, and companies must
regularly audit the data they maintain and document
the reasons for its collection. Additionally, all uses of
high risk data will be subject to a privacy impact as-
sessment to account for the risks of processing and
to identify potential safeguards.
Requirements for a Data Protection Officer
Companies that currently monitor data subjects us-
ing targeted online advertisements or customer loy-
alty programs will be required to appoint a Data Pro-
tection Officer (“DPO”). One study suggests this new
requirement will result in up to 28,000 new DPOs in
Europe alone.3
American and Canadian businesses
with no physical presence in the EU may also be re-
quired to appoint a DPO if they monitor personal data
from EU employees or customers.
Increased Security Requirements
Data controllers and processors will have increased
security responsibilities when storing or processing
personal data. GDPR requires that both data control-
lers and data processors take security measures pro-
portional to the risks of processing and the types of
information involved. In the event of a data breach,
companies will be required to inform privacy regula-
tors within 72 hours upon discovery and notify data
subjects “without undue delay.”
Possibility of Multi-Million-Euro Fines
Violators of EU data privacy law, including American
and Canadian companies, will be subject to potential
fines of up to 4% of annual revenues or € 20 million,
whichever is higher. Because this scales with the size
of a company, larger companies could face massive
fines – potentially millions of Euros.
Expanded Individual Rights
Individuals also gain rights: the right to be forgotten
and the right to data portability. The right to be for-
gotten allows an individual to request that a corpo-
ration delete that individual’s information once its
retention can no longer be legally justified. Under
the right to data portability, individuals may request
a copy of all automated data which a company pos-
sesses about them. This data must also be delivered
in an easily transferable format which could be an ar-
duous and expensive task for some companies.
KEY TAKEAWAYS OF GDPR
Larger companies could face massive
fines - potentially millions of Euros.
“
”
4. In the Next Installment
In the next segment of our GDPR series, we discuss the new mandatory obligation for organizations that
process personal data to appoint a data protection officer (“DPO”). Under the new framework, the DPO will be
accountable for monitoring an organization’s compliance with GDPR as well as reporting on privacy-related
issues. Be sure to check back for an in-depth analysis about the function of a DPO as well as which business-
es and industries will be affected.
The Authors
Part 1 of Sunera’s GDPR: A New Data Protection Landscape series was written by:
Erica Walker, JD, CIPP/US | ewalker@sunera.com
Eric Roth, JD, CIPP/US | eroth@sunera.com
Evan Nagler, JD, CIPP/US | enagler@sunera.com
About Sunera
Sunera’s Data Privacy team has developed and implemented privacy programs for some of the nation’s larg-
est and most complex organizations. Our privacy professionals have expertise in a number of privacy regula-
tions and frameworks, including internatonal privacy laws, U.S. state regulations, HIPAA, HITECH, GLBA, and
NIST. Most of our privacy experts are Certified Information Privacy Professionals (CIPPs) and Certified Infor-
mation Systems Auditors (CISAs), and a number of Sunera’s experts are Juris Doctors, who have previously
worked in privacy law, assisting clients with their compliance with local and international privacy laws. Our
privacy team is actively involved in the data privacy community, presenting on key privacy issues at leading
security and privacy conferences and contributing to privacy thought leadership.
For more information about GDPR compliance, or any of Sunera’s other services, please contact:
Eric Dieterich, Data Privacy Practice Leader
786.390.1490
edieterich@sunera.com
sunera.com
Disclaimer: Sunera LLC is not a law firm and does not provide legal advice. This document is intended for informational purposes only.
1
95/46/EC
2
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52016PC0214&from=EN
3
https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/