Doing Business in Europe? There is a brand-new data privacy law to deal with

On May 25, the European Union (EU) started enforcing a law called the European General Data Protection Regulation (GDPR). Under the GDPR, European regulators have broad powers to regulate any entity that employs people in Europe, has a facility or work site in Europe, markets its products to people in Europe, monitors how Europeans utilize a website or  processes information from Europe on behalf of another organization. Given the GDPR’s broad reach, most organizations will have to comply with the regulation. Failure to do so can result in fines ranging from 20 million euros to four percent of global revenue, whichever is greater.

Organizations ignore the GDPR at their peril. Although the GDPR is focused on Europe, the scope is broad enough to capture most organizations in Utah. Regulators can fine an organization’s European operations, revoke business licenses and fine processors who work with organizations based in Europe. For example, if an organization in Utah uses a third-party logistics organization in Europe, regulators could fine the third-party logistics organization, which could pass that fine along to the Utah organization via operating agreements or other contracts between the two organizations.

What can an organization do to comply?  At minimum, organizations must do the following: 

                • Develop notice and consent forms for the information they process.

                • Develop a process for responding to inquiries from European citizens.

                • Conduct privacy impact assessments.

                • Prepare a record of processing and adopt privacy principles.

Notice and Consent Forms

In Europe, privacy is a fundamental right and is afforded stronger legal protections than in the United States. Because privacy is a fundamental right, organizations doing business in European markets must provide a privacy notice explaining what information the organization gathers, why it gathers that information, what other organizations receive that information and whether that information transfers out of the EU to other countries.  

Furthermore, if information is processed automatically, the individual must be informed. For example, if a company employs the use of analytics to track customer activity on its website, the organization owning that website must inform the user about that process. The GDPR further requires such an organization to provide users with a brief description of the logic underlying the automated process.

Finally, organizations that process data from people in Europe must provide a legal basis for doing so in their privacy notice. Samples of legal basis include the individual’s consent, information needed to enter or fulfill a contract with the individual, processing information on behalf of a government entity or for the public good, and a legitimate business interest. If an organization uses consent as its basis for processing, it must keep a record of that consent and provide a point of contact so that individuals can rescind their consent.

Responding to Privacy Inquiries

Under the GDPR, organizations must comply with requests from individuals who wish to exercise their privacy rights. For example, a person in Europe may withdraw his or her consent to process information, request copies of all the information an organization collects about him or her and demand the organization stop processing that information. Organizations in Utah will need a point of contact to receive such requests, develop processes to identify all the locations and vendors who process an individual’s information on the organization’s behalf, create a method for providing that information to individuals as well as a method for deleting that information from every location and vendor who received that information.   

Privacy Impact Assessments

Before an organization rolls out a new service, device, process, software or hardware, the GDPR requires that organization to evaluate the risks to privacy. Accordingly, organizations must evaluate whether the roll-out could lead to physical, material or non-material damage; identity theft, fraud or financial loss; or identify lost personal control over personal information. To minimize potential risks to privacy, organizations must narrowly tailor their use of information for a specific task, closely monitor how the organization uses information and delete information it does not need.  

Record of Processing

If an organization does not already have a record of processing, it must create documents showing which of its locations, vendors and partners process personal information. For each of those, an organization must determine what information is processed, the legal purpose for gathering information and  how long it holds that information, and assign security controls to protect it.  

Adopting Privacy Principles

Under the GDPR, organizations need to incorporate privacy concepts like data minimization and pseudonymization into the fabric of the organization’s daily operations. Data minimization requires organizations to limit the information they receive, use that information pursuant to the initial reason for gathering information and delete information in a timely manner. An organization can pseudonymize information by obscuring it. For example, organizations can take large data sets such as usernames, credit cards and email addresses and assign random values to those data sets so that people outside the organization cannot interpret that information.  

With GDPR comes a raft of complex privacy regulations. Most organizations will have to comply with a portion of the GDPR. Failing to do so can result in steep penalties. If an organization has not yet begun its GDPR compliance process, it should start now.  

Tsutomu Johnson is of counsel at Parsons Behle & Latimer in Salt Lake City where he co-developed GDPRIQ, an application that helps organizations develop their GDPR policies and procedures.