The Risk Advisory Services (RAS) Team
Can you avoid the headaches, costs, and resources needed to comply with the European GDPR regulation?
Aiming to territorially expand the protection of the data rights and privacy of people living in a European Union country, the new EU General Data Protection Regulation (“GDPR” or “the Regulation”) is one of the first global privacy laws affecting organizations all over the world.
Even though your business, nonprofit or governmental entity is US based, you may be subject to GDPR compliance requirements - and fines for non-compliance - taking effect on May 25th 2018.
As the enforceable date moves closer, US based businesses need to take a serious look at whether or not they are responsible for becoming GDPR compliant. To help you make the determination about the necessity to commit budget, time and resources for compliance, it’s important to dive into the Regulation’s Material Scope and Territorial Scope.
GDPR Material Scope
The Regulation applies to any organization that processes any personal data of an EU data subject, regardless of where the processing occurs.
The Regulation defines processing as:
“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
In comparison to the majority of the privacy laws that are currently in effect, the Regulation applies a much broader approach to what constitutes ‘personal data’. In general, most organizations view personal data to be sensitive in nature; information such as Social Security Numbers, Credit Card Numbers, or Protected Health Information (“PHI”).
However, GDPR refers to personal data as:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Essentially the Regulation’s requirements apply to any information that can be reasonably traced back to a specific EU data citizen.
GDPR Territorial Scope
As stated earlier, GDPR is effectively the first global privacy law. The Regulation explicitly states that it applies to the processing of personal data of EU data subjects “regardless of whether the processing takes place in the Union or not”.
It is important to note that this does not necessarily mean that processing of all EU personal data is automatically covered by the Regulation. The Regulation provides instances of where such processing would be covered.
The first instance is that the processing of covered personal data is performed by an organization established within the Union. This means that the organization’s operations are within the EU, thus any personal data processed will be covered by EU law.
The second instance is that the processing of covered personal data is performed by an organization located outside the Union, but where the processing relates to either:
“a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
In essence, the Regulation applies to both EU and non-EU organizations if they process covered personal data of EU citizens.
Controller vs. Processor
If your organization meets the criteria above, the Regulation views your organization as a ‘Controller’.
Controllers are organizations that interface with the data subjects, are responsible for (1) the collection of personal data from the data subjects, (2) establishing the purpose of the processing, and (3) ensuring the rights of data subjects are protected.
However, the Regulation identifies two types of covered organizations - controllers and processors. Here’s the other shoe drop: processors must be GDPR compliant also.
Processors are third parties used by controllers to perform a portion of the processing of covered personal data. Controllers are responsible for ensuring that processors provide assurance that the data subject’s rights and protections reside within their portion of the processing.
What this means is that even though an organization may not directly offer services to the EU, or meet the territorial scope requirements, they can still be required to become compliant as a processor. If your organization provides services to a data controller involving the processing of covered personal data, your organization is required to demonstrate compliance with GDPR in order for your data controllers to be able to effectively maintain their compliance.
Why GDPR Compliance Important to U.S. Businesses?
U.S. Businesses who process personal data obtained from data subjects within the Union that fail to be compliant with the Regulation face significant penalties that can include administrative fines of up to 20 million Euros or 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.
U.S. Businesses who are not compliant and provide services involving the processing of personal data to other organizations could potentially face losing business with international clients. This would be caused by the inability to support the GDPR efforts of their clientele, who are explicitly required to ensure the compliance of any processors utilized.
Freed Maxick Can Help You Become GDPR Compliant
Our team of privacy and security control experts will work with you and your organization to review your overall compliance with GDPR. By conducting a thorough examination of your organization’s privacy practices, we can help you navigate GDPR, identify weaknesses in your current processes, and advise you on the most effective and efficient ways to both achieve and maintain compliance.
Connect with us today by completing and submitting your request for a complimentary compliance assessment review, or email Peter.Schnorr@freedmaxick.com.