Along with enhanced obligations on controllers and new, direct obligations on processors (including non-established entities in certain circumstances), the GDPR codifies some previously existing data subject rights while granting new rights. The key objective of the GDPR is to put individuals (“data subjects”) in the driver’s seat by giving them control over their personal data through transparency, the grant of individual rights, and a suite of tools – including extensive record keeping and data governance requirements for controllers and processors, and investigatory and enforcement powers for authorities.
Those powers include a competition-like sanction regime with potentially significant fines for violating core requirements (including processing personal data without a valid “legal basis”; unlawful cross-border data transfers; and violating individual data privacy rights). Top tier fines are the higher of 20 million euros or 4% of global annual revenues for core violations, or lower tier fines of up to the higher of 10 million euros or 2% of global annual revenues for violating breach notification and other requirements. Moreover, violations can result in potentially significant damage award arising from private lawsuits initiated by individuals and organizations acting on their behalf.
Every business that targets European data subjects or handles personal data, including service providers acting on behalf of their customers, irrespective of a company’s size or business sector must understand the impact of the GDPR on their business and data practices.
As companies grapple with the impact of the GDPR on their businesses in general, and data practices in particular, the following GDPR “top 10” should be considered:
1. Is My Business Caught?
The GDPR governs the “processing” of personal data by businesses “established” in the European Economic Area (EEA) (including through subsidiaries or affiliates) as well as to non-EEA based businesses whose processing activities relate to the offer of goods or services to data subjects in the EEA or monitoring their behavior, wherever the processing (e.g. storage) takes place.
Similarly, the GDPR may apply to a non-EU fund business that markets fund investments to EU investors, even if the fund’s structure is located outside the EU and personal data is stored outside the EU; a U.S. e-commerce business that targets EU customers or creates user profiles to customize an EU consumer’s experience; a pharmaceutical company running clinical trials in the EU and so on.
However, passive activities, for example the mere accessibility of a website in the EU, without more, would not trigger the GDPR.
The core test is whether a non-EU controller or processor is proactively processing personal data that is related to the offer of goods or services to EU data subjects, or monitoring their behavior.
There are some important and untested nuances around this test, for example it is currently unclear whether non-EU companies exclusively targeting businesses and not directly individual data subjects, are caught. Further clarification is expected from the newly formed European Data Protection Board on the scope of the extraterritorial application of the GDPR.
2. Is My Business a Data Controller or a DATA Processor?
As a threshold matter, the GDPR classifies those dealing with personal data as either a data controller or data processor. A controller makes decisions about personal data that is processed for its own purposes, including on its behalf by a service provider. A processor processes personal data solely on behalf of and at the direction of a controller and does not determine the purpose or means of the processing.
These distinctions are crucial because compliance obligations flow from the status as one or the other. Most of the GDPR’s obligations fall on controllers. Processors are subject to (i) contractual obligations that the controller imposes through a data processing agreement; and (ii) certain direct, independent legal obligations, including cooperating with EU authorities, assisting the controller with its GDPR compliance and notifying controllers of data breaches. A processor who acts without instructions, or determines the purpose and means of processing, will be a controller for that processing.
The classifications are fact-based: companies may not arbitrarily declare themselves as one or the other based on perceived advantage, including to minimize compliance obligations.
It is expected that EU authorities will focus their investigations on processors’ activities as a powerful and efficient way to assess and verify potential noncompliance of multiple controllers.
3. Is My Business A Joint Controller?
Companies may be joint controllers if they jointly determine the purpose and/or means of processing the same pool of data (even if the participation of the parties to the joint determination is not equally shared). This qualification is a matter of substance.
According to EU authorities’ guidance, the test for joint controllership includes whether a business is facilitating the processing of personal data by another business (for example, in the context of behavioral advertising where often website operators transfer personal data to ad network providers). It is often difficult to draw the line between independent data controllers and joint data controllers, and a careful consideration of the conditions of collaboration between the parties is required.
The GDPR requires joint controllers to enter into a transparent arrangement that allocates their respective compliance responsibilities and are jointly and severally liable for each other’s non-compliance.
4. Do I Need A GDPR EU-Based Representative?
Most non-EU businesses subject to the GDPR are required to appoint an EU-based representative in connection with their GDPR obligations. The role of the EU representative is to act on behalf of the appointing party with respect to that party’s obligations under the GDPR. Data subjects and the authorities are entitled to “address” the EU representative, without affecting their rights against the controller or processor. Authorities may bring enforcement proceedings directly against the EU representative instead of the controller or processor.
A number of organizations offer to fulfil the role of EU representative. Unsurprisingly, they inevitably seek robust indemnity protection for fines, claims, and losses arising in connection with the role. Companies should investigate the available options and appoint an appropriate representative, giving careful consideration to the mandate granted to the representative and the contractual terms that unilaterally protect the provider while exposing the customer to undue risk.
5. Transparency – Review Your Privacy Notice
Controllers must explain their data practices in concise, easily understood terms (typically, through a privacy notice). The notice must disclose the identity of the controller (or joint controllers) and explain the “legal basis” for data practices. The notice must also disclose (i) how the data will be used and the third parties with whom it will be shared; (ii) cross border data transfers; (iii) third party data sources (including publicly available data sources); (iv) retention periods and (v) data subject rights (to request access or deletion, to object to or require restriction of processing, to withdraw consent, rights in relation to automated decision-making and the right to complain to authorities). GDPR guidance on the transparency requirement issued by EU authorities suggests that EU authorities expect to see detailed information.
6. Is There A Legal Basis For The Processing?
Controllers must rely on one of six legal bases for processing (including sharing) personal data. Commonly used bases include consent, legitimate interest of the controller or a third party, and necessity to perform a contract or comply with legal obligations.
The GDPR tightens the rules around consent. Consent must be informed, “freely given” for a specific purpose and demonstrated through some affirmative action (such as checking an unchecked box). Drawbacks include that it may be withdrawn at any time, and individuals may request deletion of their data where consent is the sole legal basis for processing. Consent may also be difficult to prove in the event of an investigation or dispute. It is prudent to minimize the processing activities which rely on a data subject’s consent. Many companies are unaware of the other legal bases that may legitimize data processing. Accordingly, consider the types of data processing you engage in, assess what legal basis is most practical for your activities, identify and document the legal basis you are relying on for each activity and update your privacy notices accordingly.
If you intend to rely on a legitimate interest, a legitimate interest assessment must first be conducted to ensure your company’s interests are not overridden by the data subjects’ fundamental rights, including the fundamental right to privacy. It is also important to consider the impact of the potential exercise of rights that are available to data subjects in certain circumstances.
If you intend to rely on contractual necessity, be aware of the limited circumstances when it justifies data processing.
7. How Do I Transfer Data From The EU To The U.S. Or Elsewhere?
The GDPR prohibits the transfer of personal data to countries outside the EEA that are not considered to offer adequate privacy protections. Ongoing routine transfers of personal data outside the EEA must be legitimized by a valid transfer mechanism including the EU-U.S. (or, if applicable, the Swiss-U.S.) Privacy Shield or Standard Contractual Clauses (SCCs). These mechanisms may not be readily available to U.S. companies. For example, the EU-U.S. and Swiss-U.S. Privacy Shield frameworks are only available to companies that are subject to the jurisdiction of the U.S. Federal Trade Commission or the Department of Transportation. SCCs require a business (“data exporter”) based in the EEA and cannot be entered into with data subjects.
Cross-border data transfers may also be accomplished pursuant to limited exceptions, including explicit consent. If your company has historically relied on consent for cross-border data transfers, you will need to assess whether you may continue to use this exception. Data transfers may be justified if it is necessary to perform a contract with the data subject or for the establishment, exercise or defense of legal claims.
8. Review Your Data Processing Agreements (DPAs)
Controllers and processors must execute a DPA with mandatory terms that establish the parties’ status. DPAs set forth the controller’s processing instructions to the processor, restrictions on sub-processing, data breach notification obligations, controller’s audit rights and require that the processor assist the controller to comply with its obligations (including responding to data subject rights and conducting data protection impact assessments).
Processors must contractually flow down the obligations in the DPA to their sub-processors. This requirement can pose challenges when the chosen sub-processors are able to leverage their market power and impede the GDPR’s construct of empowering the controller to control the data processing throughout the processing chain.
9. Record Keeping
The GDPR requires controllers and processors to maintain detailed records of their data processing activities with mandatory details prescribed by the GDPR. These records must be provided to EU authorities upon request. Some authorities have announced that they will launch investigations and ask randomly selected businesses to provide copy of their processing records. Although such announcements appear to target only businesses with an EEA establishment for the time being, all companies should be prepared to review and hand over the records upon requests (including, for non-EEA based businesses, through their EU based representative (see above)).
10. Assess Your Incident Response Program And Update To Comply With The GDPR; Consider Impact On Other Jurisdictional Requirements
The GDPR requires controllers to notify authorities of certain “personal data breaches” within 72 hours of becoming aware of the breach, unless they can show the risk to individuals is unlikely. Likewise, affected individuals must be notified without “undue delay” if the breach is likely to result in a “high risk” to their rights and freedoms. Processors are required to notify controllers without undue delay after becoming aware of a breach.
Not all security incidents are necessarily personal data breaches. Companies inevitably experience security breaches from time to time, but whether an incident is a reportable breach requires a careful risk assessment. EU authorities have issued specific guidance on relevant factors to be considered when performing such risk assessment. Even if you are comfortable that an incident does not cause risk, ensure that you record your decision to justify your decision if requested. Ensure that your incident response plan is up-to-date and identifies your “lead” data protection authority, if you are eligible to choose one to ensure prompt notification.
Businesses operating in multiple jurisdictions must also consider the interplay of the GDPR’s breach notification obligations with mandatory breach notification obligations outside the EU (e.g., the U.S., Mexico and Australia). Relevant differences should be accounted for in incident response plans and policies and employees should receive regular training on such differences. Companies may want to consider the practical value of maintaining a unified vs. country-specific incident response plans, or whether it is possible to create a plan for subsidiaries in multiple countries with similar reporting obligations.
Goodwin’s Privacy + Cybersecurity Practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial institutions, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.
Goodwin’s European team includes former Department of Homeland Security Chief Privacy Officer Karen Neuman (Washington), Gretchen Scott (London) Federica De Santis (London) and Jacqueline Klosek (New York).
To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, Chair of the Privacy + Cybersecurity practice.