GDPR Compliance Deadline Looms

As the May 25, 2018 deadline approaches, companies are grappling with compliance issues relating to the European Union’s General Data Protection Regulation (GDPR). Those with physical operations in an EU member state have, more than likely, been preparing for quite some time.

GDPR imposes strict protections for the “personal data” of EU citizens, including individual consent, the “right to be forgotten,” 72-hour breach notice and crippling fines.

GDPR does not just apply to entities with a physical presence in an EU member state. Any entity that collects or processes personal data of an EU citizen in relation to the offering of goods or services to individuals in the EU, including, but not limited to, behavioral information, must comply. Server and cloud locations are relevant, anywhere vendors and employees access information.

Compliance considerations get a bit sticky when one considers that many companies not physically located in the EU operate websites and mobile applications that are accessible by citizens of the EU.

The stage for worldwide protection of personal information has been set. In short, GDPR requires that personal data collection be pursuant to affirmative consent (with limited exception), secure and transparent.

Article 6(1) of GDPR provides that processing shall be lawful only if and to the extent that at least one of the following applies:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Processing is necessary for compliance with a legal obligation to which the controller is subject;
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (shall not apply to processing carried out by public authorities in the performance of their tasks)

There are numerous, time-consuming components associated with GDPR compliance, from privacy and data security to legal and operational considerations.

Article 3 of the GDPR mandates compliance if the “data subject” is in the EU at the time the data is collected. In other words, activities target EU citizens.

U.S.-based companies that believe may be impacted by GDPR should consult with an FTC lawyer and privacy attorney to discuss compliance protocols, as well as additional safeguards such as the US Privacy Shield certification program managed by the U.S. Department of Commerce.

The Privacy Shield is a voluntary, self-certification program under which a company has illustrated compliance with a variety of processes, notices and principles. In order to earn certification, a company must develop an adequate privacy policy that incorporates Privacy Shield principles, provide users with control over information that is collected, and designate an individual responsible for the compliance and verification of Privacy Shield principles.

Privacy Shield certification subject recipients to U.S. laws that govern such compliance, regardless of whether an entity is required to comply with GDPR.

GDPR also possesses limitations on consent, requirements for handling “sensitive” data and breach notice obligations.

There is no universal advice on what companies should do to comply. Such considerations will necessarily vary depending upon specific business operations.

Contact the author at rnewman@hinchnewman.com to discuss GDPR compliance in greater detail..

Richard B. Newman is an FTC defense lawyer at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements. Follow him on LinkedIn at FTC Attorney.  

ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35^th Floor, New York, NY 10005 | (212) 756-8777.