UPDATE: We’re happy to report this post made the Texas Bar Today’s list of the Top 10 blog posts of the week.
How does a $20 million fine sound to you for violating European regulations with activities conducted entirely within U.S. borders? On May 25, 2018, the new European General Data Protection Regulation (GDPR) takes effect. This makes significant changes to privacy and cybersecurity requirements applicable to companies that collect, process, or store any personally identifiable information of European Union (EU) citizens and residents – even if the processing and storage is done outside EU borders.
The GDPR was written specifically to have extraterritorial reach – not only in its applicability, but also in the calculation of fines. Even American companies that have customers or even a presence within the EU must comply. The fines for non-compliance can reach €20 million (currently, approximately $20 million) or up to 4 percent of worldwide revenue, whichever is greater.
So, having only a small income stream from Europe or a small presence there won’t limit your exposure. Your entire global annual income can become the basis for a fine calculation.
Replaces the Data Protection Directive
The GDPR replaces the earlier Data Protection Directive (DPD), under which you may be currently operating. If you have customers in the EU, or data subject to DPD requirements, you are likely using model contract clauses that had been vetted against the DPD, or less likely binding corporate rules (BCR).
If you’re thinking that, because your contract will extend past May 2018 and you won’t be making any changes to it, that those contract clauses will continue to define your obligations, you’re incorrect. Whereas the DPD relied upon a contractual agreement for enforcement, the GDPR is regulatory fiat. Stricter GDPR requirements will supersede your DPD-compliant contracts, leaving you subject to expensive fines – unless you adjust to the new GDPR requirements.
Challenging new requirements
The GDPR has myriad complex new rules. There’s a requirement for companies to have a Data Protection Officer (DPO) on staff, with specified duties and competencies. The DPO must meet competency in privacy requirements, as well as cybersecurity threats and defenses. They must also be readily accessible to receive reports of suspected privacy and security incidents and have rapid access to company leadership. Fortunately, the GDPR permits the DPO to be an entity rather than a single individual. They can also be outsourced, or even located outside the EU. For example, a law firm or specialized company within the U.S. can provide contracted DPO services.
Additionally, the GDPR imposes new data breach notification requirements that could subject you to short-fuse reporting requirements where, previously, you would have had none at all. There’s also a new right to erasure, which is a modification of the earlier right to be forgotten, and requirements for data portability that may be onerous for some companies.
Get started on compliance efforts NOW
If you are not already sufficiently familiar with the new requirements, either start educating yourself, or find someone to guide you. The new requirements are significant, and one of the first things you might discover is that you’re already far too late getting started.
According to one study by the International Association of Privacy Professionals (IAPP), the number of DPOs required by May 2018 could exceed 25,000. Many organizations are predicting an acute shortage of qualified DPOs, and expect that many companies may be driven to use an out-sourced DPO. Perhaps it’s best to start looking to either fill that in-house role soon, or get on a contract DPO’s client list before it fills up.
This update is for informational purposes only and should not be considered legal advice. Each situation is different, could change any time, and should be analyzed by an attorney.