GDPR IS HERE: HOW EU PRIVACY REGULATIONS IMPACT U.S. BUSINESSES
March 13, 2018
Press Releases, Publications
By: Devin Chwastyk, Louis Dejoie, Thomas Markey, and Sarah Dotzel
The General Data Protection Regulation (GDPR) takes effect in the European Union (EU) on May 25, 2018. Although U.S. businesses may think that EU regulations do not apply to them, GDPR extends to any entity that collects, stores, or uses personal data of people in the EU (data subjects), even if that entity has no physical presence in the EU. Organizations subject to GDPR now have less than three months to ensure compliance. Therefore, it is crucial to evaluate your company’s obligations for compliance and understand the risks of noncompliance.
Obligations of U.S. Companies
GDPR creates new obligations, and U.S. businesses must invest significant time and resources to comply. Three impactful obligations relate to data subjects’ consent to process their data, data subjects’ right to be forgotten, and the appointment of an executive-level data protection officer.
- Consent Requirements
A business must have a lawful basis to process personal data, such as consent. Processing certain types of data, including data concerning race, ethnicity, religion, political affiliation, and health, requires “explicit” consent from the data subject. Consent must be affirmative, informed, and freely given; implied consent, which may be acceptable in the U.S., will be insufficient under GDPR.
- 2. The Right to Be Forgotten
GDPR grants data subjects new rights, including the right to data erasure—more commonly called the “right to be forgotten.” The right to be forgotten allows data subjects to request deletion of their data under certain circumstances, including when the data subject withdraws consent or objects to the processing of his or her data. The right to be forgotten poses an operational challenge for many businesses, which must implement a process for, and invest staff time in, responding to data subjects’ requests. The right to be forgotten marks a significant shift in privacy law and is an unfamiliar concept in the U.S.
- Data Protection Officer
Compliance with the GDPR also requires some organizations to appoint an executive-level data protection officer. The data protection officer must act independently, report directly to the organization’s highest level of management, inform the organization of its obligations under GDPR, and monitor compliance with GDPR.
Consent, the right to be forgotten, and the data protection officer are key features of GDPR, but this is far from a comprehensive list of GDPR requirements.
Consequences of Noncompliance
Noncompliance with GDPR comes at a steep cost. The maximum penalty for failure to comply is €20 million or 4% of an organization’s worldwide revenue, whichever is greater. Additionally, data subjects have the right to seek a judicial remedy against infringing organizations. Therefore, GDPR offers a strong incentive for compliance.
GDPR Is Here
Many companies have spent months, if not years, preparing for GDPR, and at least one state is considering legislation that would create similar rights for data subjects. With May 25, 2018 rapidly approaching, organizations must assess whether GDPR applies to their business and work swiftly toward compliance. The attorneys in McNees Wallace & Nurick LLC’s Privacy & Data Security practice group are ready to answer your questions and offer guidance in navigating this new regulatory regime.
Devin Chwastyk, CIPP/US chairs the Privacy & Data Security Practice Group and Louis Dejoie chairs the International Law Practice Group at McNees Wallace & Nurick LLC. Thomas Markey and Sarah Dotzel are associates in the Privacy & Data Security Practice Group.
McNees is a full-service law firm based in central Pennsylvania with more than 130 attorneys representing corporations, associations, institutions and individuals. The firm serves clients worldwide from offices in Harrisburg, Lancaster, State College and Scranton, PA; Columbus, OH; Frederick, MD; and Washington, D.C. McNees is also a member of the ALFA International Global Legal Network.