
If you are a smart phone user, you may have wondered why so many new privacy policies have recently rolled out. The reason? The General Data Protection Regulation (“GDPR”) became effective May 25, 2018, and applies to all organizations that handle European Union citizens’ data. Businesses throughout the world, including in the US, are figuring out how to best navigate through what some have called one of the most important corporate compliance events in years, with several controversial provisions. GDPR will substantially increase statutory obligations regarding the processing of personal data placed on data controllers and data processors both inside and outside the European Union. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Most startling of the new provisions are the severe maximum fines for violations; up to 20M Euro (currently about US$23.3M), or four percent of the total worldwide revenue, whichever is greater. Notably, the regulation applies to organizations based outside the EU (i.e., the US) if they collect or process data of individuals inside the EU. GDPR has its own website designed to answer many questions, www.eugdpr.org. The following is a very general description of some of the GDPR highlights. The regulations are vast in scope, and the need for compliance is critical.
As a general proposition, the GDPR aims to return control of personal data to citizens and residents and to simplify regulations, replacing the 23 year old Data Protection Directive.
Personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, protection against accidental loss, destruction or damages, and use of appropriate technical and organizational methods. A data controller is responsible for and must be able to demonstrate compliance.
What do data controllers and data processors have to do? In short, they have to implement appropriate technical and organizational measures, depending on a variety of factors. This includes, as examples, pseudonymization and encryption of personal data, the ability to ensure confidentiality, integrity, availability and resilience of the processing systems, the ability to restore the availability and access to personal data in a timely manner in the event there is a physical or technical incident, and a process for regular testing. Controllers and processors must also maintain a record of the technical and organizational security measures and must comply with a Code of Conduct. Data controllers must conduct appropriate due diligence when selecting data processors and sub processors and enter into written contracts with processors regarding the scope of data uses and protection of personal data.
In the event of a personal data breach, controllers must document the facts, its effects, any remedial action taken, and must enable the Supervisory Authority to verify compliance. Controllers must also notify the Supervisory Authority within 72 hours of identifying an incident, and if unable to do so must provide a reason. A key exception is if the Controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of individuals. Notification to the affected individuals is required only if the breach is likely to result in a high-risk to the rights and freedom of the individuals, with certain stated exceptions, and with no undue delay.
Finally, GDPR prohibits data from being held in a format that permits personal identification longer than necessary.
In short, these laws are complex and many companies are struggling with ensuring compliance. If you need more detailed analysis or compliance advice, please contact us for guidance.
- Partner
Edward Ho represents individuals and corporations in complex civil litigation matters, with special emphasis on shareholder disputes of closely held corporations, international supply and distribution agreements, fiduciary ...
Other AALRR Blogs
Recent Posts
- Understanding Deceptive California Statement of Information Scams
- Closing of Pre-Hearing Discovery Loopholes in Arbitration
- International Enforcement of U.S. Trademarks: Simplicity for Complexity’s Sake
- Last Minute Court Decision Delays Enforcement of CPRA Regulations
- Trademark Infringement Is No Joking Matter: Supreme Court Reevaluates Parody Fair Use Exception and First Amendment’s Place in Trademark Infringement
- Department of Justice Expands PPP Investigations from Brazen Fraud to More Technical Violations, including Investigation into Private Clubs
- Department of Justice Expands PPP Investigations from Brazen Fraud to More Technical Violations, including Investigation into Private Clubs
- Court of Appeal Places Stricter Requirements on Employee E-Mail Access Policies
- Preparing For The CPRA Part 3: New Contractual Requirements For Data Transfers
- Preparing For The CPRA Part 2: Changes To Data Retention Requirements
Popular Categories
- (19)
- (23)
- (15)
- (3)
- (3)
- (2)
- (2)
- (3)
- (1)
- (2)
- (5)
- (4)
- (5)
- (1)
- (4)
- (3)
- (3)
- (2)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
Contributors
- Sean M. Anderson
- Cindy Strom Arellano
- Reece C. Bennett
- Eduardo A. Carvajal
- Michele L. Collender
- Scott K. Dauscher
- Christopher M. Francis
- Runmin (Ivy) Gao
- Evan J. Gautier
- Carol A. Gefis
- Amber S. Healy
- Edward C. Ho
- John E. James
- Jonathan Judge
- David Kang
- Neil M. Katsuyama
- Joseph K. Lee
- Damian J. Martinez
- Shawn M. Ogle
- Jon M. Setoguchi
- Jon Ustundag
- Brian M. Wheeler