The EU General Data Protection Regulation (GDPR)
By Danny Lee and Chris Keegan
The European Union’s General Data Protection Regulation (“GDPR”) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. This new regulation will apply in all EU member states as of May 25, 2018. GDPR updates the 1995 Data Protection Directive by introducing tougher fines for noncompliance and breaches and by putting control of personal data back into the hands of the individual. It also means that organizations cannot simply gather data without good reason and must prove that they are doing all they can do to protect the data they hold.
Previously, under the directive, each EU member state was free to adopt laws in accordance with the principles laid out in the directive. This meant there were differences in the way each member country implemented and enforced the directive. Because the GDPR is a regulation and not a directive, it uniformly applies in all EU member states.
The GDPR Applies to “Controllers” and “Processors”
As a result of this updating regulation, “controllers” and “processors” of data need to abide by the GDPR. According to the regulation, a data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. Therefore, the controller could be any organization from a for-profit company to a charity or government. A processor could be an IT firm doing the actual data processing.
While the legislation applies to EU companies, it also applies to any company that chooses to do business in the EU. Consequently, the GDPR will apply to US controllers and processors so long as they are dealing with data belonging to EU residents. That includes any online business that owns a website accessible by EU citizen. In sum, GDPR requirements apply to any types of organizations of any size in any country that process data originated in the EU. To continue to do business in the EU, most companies will have to implement additional privacy protections and end-to-end data protection strategies.
Consequences of Noncompliance
The GDPR gives data protection authorities more investigative and enforcement powers as well as the power to levy more substantial fines. The GDPR additionally provides a new “one-stop-shop” regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under this framework, a member state’s supervisory authority will operate in one of three roles: a lead supervisory authority, a local authority, or a concerned authority.
A lead supervisory authority will supervise all the processing activities of that business throughout the EU. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority. A local authority may deal with complaints or infringements that only affect data subjects in its member state. Lastly, a concerned authority will act when data subjects in its member state are substantially affected and will cooperate with the lead supervisory authority for the matter.
In the event of a personal data breach, data controllers must notify the supervisory authority no later than 72 hours after having become aware of it. If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors. If it is determined that noncompliance was related to technical measures such as impact assessment, breach notifications, and certification, the fine may be up to €10 million or two percent of global annual revenue from the prior year, whichever is greater.
In the case of noncompliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to €20 million or four percent of global annual revenue in the prior year, whichever is greater. Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects, and transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
Chris Keegan, Beecher Carlson’s Cyber and Technology Practice Leader in the Executive Liability Practice, brings his industry expertise to the placement of network, privacy, technology, and media E&O insurance for a wide variety of companies including financial institutions, authentication providers, manufacturers, healthcare, retail, and telecommunications companies. He has also executed Cyber Information Risk Assessment projects and worked with regulators on evaluation of E-Business risks.
Chris is closely involved with the development of new insurance products designed to transfer electronic risk and is often asked to speak on these topics at seminars and functions throughout the United States and Canada. He has published a number of articles and books on privacy, intellectual property, and technology and is licensed to practice law in New York, New Zealand, and England. He can be reached at email@example.com.
JaeEon (Danny) Lee is a Legal Intern in Beecher Carlson’s Executive Liability Practice in New York, and is a rising third-year law student at Brooklyn Law School, where, in addition to obtaining his J.D., he is also pursuing his Certificate in Business Law. Previously, Danny interned at Barclay Damon, LLP where he primarily focused on litigation and researched issues on Corporate and Labor & Employment Law matters. He also interned for Microsoft Korea where he reviewed and analyzed business strategies and foreign regulations. Danny has a B.A. from Emory University in Sociology, with minors in Educational Studies. Danny is particularly interested in corporate, white collar crime, cybersecurity, and employment law and is actively involved in the Asian-Pacific American Law Students Association. He can be reached at firstname.lastname@example.org and email@example.com.