In May, the European Union’s General Data Protection Regulation (GDPR) becomes law and applies to companies inside or outside the EU offering goods or services to, or monitoring the behavior of, citizens residing in the EU.
While not significantly different than older rules, the new law’s additional regulations provide European citizens complete and explicit rights over the usage of their online and/or stored personal data, even just an email address.
The new law also makes privacy laws consistent among all EU member states.
“Prior to GDPR, it would have depended upon what country you were dealing with, as the rules could be different from one country to another,” says Andrew Lichey, product manager for IFS field service management.
Lichey points out five key areas where European individuals have the say over their data held on a company’s system:
- Individuals have the right to give or deny consent for the storage of their personal data, including the time period for which it can be stored.
- Individuals have the right to be “forgotten;” personal data must be removed or anonymized on request.
- Individuals have the right to access their personal data and ask for justification for holding it. Companies can only retain the minimal data required for doing business.
- Individuals have the right to rectification (editing/correcting) of data held on a company’s system.
- Data held on one system must be portable to another company’s system upon the individual’s request.
In addition, breach notification is mandatory where a data breach has occurred and is likely to “result in a risk for the rights and freedoms of individuals,” and must be done within 72 hours of a company first becoming aware of it. In addition, companies must appoint a data protection officer (DPO) who is responsible for all GDPR tasks being carried out.
The cost of infraction is high. Organizations can be fined up to 4 percent of annual global turnover or 20 million euros for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts (see GDPR Key Changes). There is a tiered approach to fines—for example, a company can be fined 2 percent for not having its records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. These rules apply to both data controllers and processors—meaning “clouds” will not be exempt from the GDPR enforcement.
What this means for US-based companies can be boiled down to some basics. A US-based company that sells products or offers services to an EU individual or consumer cannot retain that person’s data for a period longer than necessary to complete the transaction, unless the person has approved. An individual can’t be placed on a vendor’s mailing list without a specific, traceable authorization by the individual.
A mailing list generated from a trade show, for example, does not constitute a legal tool under the law. Each person on the list must be contacted for approval for the data to be retained and used. Likewise, websites offering the user the ability to “opt in” to a list may not have a default “pre-checked” box; the user must actually check the box before submitting.
Not only does this law apply to a company doing business with an individual consumer, it also applies to B2B transactions and supplier relationships. The use of personal emails and contact information, even company emails, must be approved and used for intended business purposes. The only exception to this rule would be addresses like “info@” or “sales@.”
US food or beverage processors with an internet presence in Europe selling products, either US or European made, to European consumers come under the law.
However, does the rule apply to B2B relationships as well, for example, a small US-based food ingredient maker that sells only to European food and beverage processors and retains business contact information?
“The GDPR does not differentiate between consumer and professional,” says Rohan Massey, partner, Ropes & Gray International LLC, London, UK. “If the US business is selling into the EU, then the personal data it processes relating to its corporate clients [name, contact details including business email addresses, etc.] may be within the scope of the GDPR and will need to be treated accordingly, respecting the rights of the individuals in respect of their personal data.”
Scott Lyon, partner at Michelman & Robinson, LLP explains the law would apply to US food and beverage processors without manufacturing operations located in the EU, but selling products directly to EU businesses, even if they are not monitoring EU data subjects’ behavior.
“The contact information for anyone you would communicate with at the target company could still constitute personal data, so you would still have to comply with GDPR,” he says.