U.S. companies that handle data belonging to customers living in the European Union may not realize that they will be subject to the General Data Protection Regulation when it takes effect May 25th, 2018. The EU’s digital privacy and data protection law has taken on new significance following an executive order from the U.S. government in January 2017.
Here are some highlights of what you need to know:
- Consent – Valid consent must be explicit for data collected and the purposes data is used for. Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
- Breach Notification (within 72 hours) – Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours of the data breach. Individuals have to be notified if adverse impact is determined. In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach.
- Right to access – Under the GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
- Right to be forgotten – A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.
- Rules regarding data portability – A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Legal experts see in the final version of this measure a “new right” created that “reaches beyond the scope of data portability between two controllers.
- Data privacy by design/default – Data protection by Design and by Default requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default, and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing life cycle, complies with the regulation.
To learn more, visit our Guest Blog by Greg Garner here.
Here are some other great resources on this topic:
- IBM’s ebook, The end of the beginning Unleashing the transformational power of GDPR – To register and download their ebook click here.
- An article from Gartner’s Brian Yeager, The GDPR: A Game-Changer for personalized marketing? Read his full article here.
- The European Union’s GDPR Information Portal can be accessed here.