European privacy regulations cross the Atlantic
Entities conducting international business can be subject to the law
March 2018 is the deadline for compliance with a European Union law called the General Data Privacy Regulation, or GDPR, and many American businesses have been caught off guard. They are just realizing that they will be subject to the law because they have operations in Europe, or do business with companies or residents in the EU.
Moreover, GDPR covers an unusually broad range of information and imposes stringent privacy and security obligations that are — pardon the pun — foreign to most American businesses.
What’s the solution? Determine if your business is subject to GDPR. If so, promptly conduct a comprehensive privacy and security risk assessment, and bring your business into compliance with GDPR, before you become a target of scrutiny from an EU regulator or one of your European business partners.
An American business is subject to GDPR if it falls into any of following four categories:
• A business that has operations in the EU is subject to GDPR. Such operations can either be direct, such as a physical facility or employee in the EU, or indirect, such as doing business through a dedicated agent in the EU.
• A business that furnishes goods or services, either for compensation or at no charge, to EU residents in the EU is subject to GDPR. Most businesses can readily identify if they provide goods or services to EU residents. However, assessing if goods or services are provided in the EU is often a much more difficult and uncertain determination.
• A business is subject to GDPR if it monitors the activity of EU residents in the EU. Such monitoring can occur quite easily through the use of automated Internet utilities, including cookies, or through applications on mobile devices.
• EU companies that do business with American companies are required under GDPR to contractually require their business partners to comply with the law if the American companies are subject to GDPR. Thus, like the proliferation of business associate agreements under U.S. health privacy law, American businesses will be finding themselves required to enter into agreements with EU companies that contractually bind them to GDPR compliance.
Strict statutory limits
If a business is subject to GDPR, it is required to safeguard an extremely broad range of information about EU residents.
Unlike American law — which typically protects limited types of information, such as social security numbers, governmental IDs, financial account numbers and health information — GDPR envelops literally any information concerning any identifiable EU resident.
For example, it encompasses common information like name, mailing address, email address and phone number, as well as less apparent information like an individual’s IP address, geolocation, travel plans, purchasing history and a seemingly inexhaustible list of any other information identifiable to an EU resident. American businesses are currently unaccustomed to regulatory control covering such a broad array of information.
GDPR also requires stringent privacy and security safeguards that many U.S. businesses are currently unprepared to address.
For example, GDPR privacy rules impose strict statutory limits on the nature and extent of a business’s collection, retention, use, disclosure and disposal of information concerning EU residents, and require businesses to provide detailed notifications to all such individuals explaining numerous aspects of the business’ practices concerning such information.
The law affords even stricter privacy protections to sensitive information, such as material about genetics, biometrics, sexual orientation, religious and political affiliations and trade union activities. In addition to GDPR’s privacy rules, the law imposes security rules requiring businesses to adopt reasonable physical, technological and administrative safeguards against theft, loss and unauthorized access and use of information covered by GDPR.
Steps to comply
GDPR compliance can be a daunting task for American businesses unfamiliar with strict privacy and security laws. But compliance is achievable, if a business commits to doing so.
The first step is a comprehensive privacy and security risk assessment conducted by a team consisting of leaders in the business, an experienced data security attorney and IT personnel or an outside IT security expert. The process begins with an inventory of all protected information (under GDPR, American law and otherwise) and other confidential information that the business should protect. All of that information is mapped throughout its lifecycle to identify areas of risk, aspects of legal non-compliance and opportunities for improvements.
The outcome of the assessment is a report prioritizing and outlining suggested remedies. Retaining legal counsel to lead this project is critical not only because the process is greatly enhanced through the expertise of an experienced data security lawyer, but also to ensure that this sensitive report, as well as similar documents and communications that contain such sensitive information, remain protected by the attorney-client privilege.
Once the assessment and report are complete, the next step is to implement the remedies, and adopt written policies and business practices that comply with GDPR (and simultaneously with American law).
Lastly, the business must train its workforce. Training is critical because employees present both the biggest risk to the information they use every day in the business, as well as the best safeguard for that information.
Many businesses may have been caught by surprise by GDPR’s reach across the Atlantic, and the broad scope of its stringent requirements. The solution is to promptly determine whether your business is subject to GDPR and, if so, start the process to bring your company into compliance with the law. Compliance is achievable.
Cameron G. Schilling is a director of the law firm of McLane Middleton and chair of its Privacy and Information Security Group.