The General Data Protection Regulation applies equally both to multinational corporations and to smaller non-EU companies wishing to expand into the EU. This is generally a non-issue, since the challenges posed by privacy regulations scale well with size – though the underlying principles are the same for all.
To level the playing field, the GDPR applies to all processing and all data originating and taking place within the EU, no matter who is doing the processing. The scope of the GDPR, in other words, is borderless. It is the origin of data that matters, not the domicile of processors. The only option for businesses that do not want to be bound by the GDPR is do ditch EU customers and users altogether – an impossible proposition for most.
Many businesses are extremely concerned about this fact, but less than half have begun preparing for it. It’s high time they did, since the grace period ends soon – on 25 May 2018. Even though the changes in the GDPR are not dramatic compared to the DPD it supersedes, even the businesses compliant with the current Directive will face the need to update their procedures and policies.
1. Determine Applicability
Before beginning with enacting compliance policies, it is worth to check whether your company’s data processing actually falls under the scope of the GDPR. If you have to ask, in most cases the short answer will be ‘yes’.
This is because the scope of the GDPR is not territorial, but concerns the data source. If you are doing any processing of EU-sourced data – in other words, if you have users, customers or contacts from within the EU, you are bound by the GDPR. You are certainly under obligation to ensure compliance if you have an office in the EU, without question.
But that’s not all. If it is evident that you are marketing towards individuals from the EU – for example, if it is obvious you ship to the EU, have an EU-country domain or quote your prices in Euros, you are considered to be doing business with the EU and must abide by the GDPR when it comes to processing of personal data – names, addresses, telephone numbers, payment details, etc.
This does not mean that you will have to block access to your website from within the EU if you wish to keep the GDPR at bay. It is only important that you don’t intentionally market your services to the EU market.
Take care if you are an information-based company: analytic and monitoring tools, such as those encountered on websites for advertising purposes, collect data from EU citizens that is considered personal, and such data must be treated accordingly.
Even if you do process and collect personal data originating from within the EU, you could still be exempt, as long as such processing is limited and occasional. Conducting a data privacy impact assessment can help you determine whether the GDPR applies to you.
2. Sandbox or Streamline
Because the GDPR applies ‘only’ to data originating from the EU, other data you process need not fulfil the stringent requirements of the GDPR. You, therefore, could ‘sandbox’ your EU data processing operations by isolating such data from other data and processing it separately, with all the appropriate safeguards. In theory, this saves money by allowing your company to forgo expensive administrative tasks that EU-based data requires.
Or, you could instead adopt a policy of applying the GDPR standards across the board, even when not required by the local laws. This could prove to be a simpler solution, with less risk of data breaches and loss. What’s more, you would basically be guaranteeing compliance with most worldwide privacy laws, as the GDPR is among the strictest pieces of legislation in this regard. Thus, only minor adjustments would be required for operation in virtually every part of the world.
3. Review Consent
Even if your consent policies have been up to par with the European standards, the GDPR is bad news for everyone. The consent requirements have become more stringent and the will be inadequate.
The GDPR stipulates that you notify the individual of purposes and extent of data processing, as well as any data transfers to third countries, at the point of obtaining consent. The notice should be written in simple language and easily understandable. Users are required to consent explicitly. Pre-ticked boxes or implicit consent do not constitute consent for the purposes of the GDPR.
Be wary when it comes to children’s consent. Here, you could take the US’s COPPA as the golden standard, but take care: The GDPR sets the bar at 16 years old instead of COPPA’s 13, although most, but not all, Member States are expected to lower the threshold to 13.
4. Vet Your Processors
The GDPR distinguishes between data processors and data controllers. Most of the time, the same company will be doing both, but sometimes companies delegate their data processing activities to other service providers to make use of their know-how or lower costs.
The latter providers are considered ‘processors’, and their data recording requirements are considerably more relaxed, since it is the controller who is chiefly responsible for the data. In the same vein, the controller should ensure that the processor is a trustworthy company with adequate security measures.
Appropriate data transfer safeguards must be observed at all times, especially if the data processor is located in a non-EU country (see #7).
5. Careful with the Law
If you are planning to use legal obligations as a basis for your data processing, you need to be careful. Only EU laws and EU Member State laws qualify as a basis for this type of processing. If you are US-based, for example, US laws will not be adequate as a basis for processing of EU-sourced data.
For example, a Japanese multinational company doing business in the EU does not have the right to disclose employee information of its EU subsidiary based on an order or a subpoena by a Japanese court. A court order from a European court is required for that.
6. Keep Records
Taking into account the complexities of ensuring GDPR compliance, while at the same time handling data from multiple sources and legislative environments, regular review and exemplary record-keeping stops being a suggestion and becomes mandatory in practice.
Any changes in data handling made by the headquarters create a domino effect – its subsidiaries must review their policies and ensure the data is still being legally collected and processed. That is impossible without proper and updated records pertaining to such data.
Remember that compliance is not a one-time effort, especially in the complex world of cross-border transfers. It is an ongoing process that requires regular vetting and review. Some increase in expenditure in this regard is unavoidable, unfortunately.
7. Cross-Border Transfers
Cross-border transfers will, by definition, be a common sight among non-EU multinational corporations with offices in the EU. The data they collect can be sent to the headquarters located outside the EU only if proper safeguards are followed – the GDPR generally forbids cross-border data transfers and allows them only on a conditional basis.
The GDPR allows for more options for these data transfers to third countries. In some cases, proper and vetted data transfer agreements or binding corporate rules can serve as adequate safeguards. BCRs are currently rare in the business world, but we expect increased reliance on those amid increased uncertainty in the state of the EU – U.S. Privacy Shield. There really is no reason to violate the requirements of the GDPR here, since there are more mechanisms than under the Data Protection Directive for such data transfers.
Sometimes, no mechanisms at all will be required if the parent company is in a country deemed adequate by the European Commission. There is only a handful of countries on the list, though.
8. Prepare for Breaches
Reporting of breaches is mandatory under the GDPR. Make sure to enact all the appropriate technical and administrative security measures that reduce the risk of data breaches, and absolve you of responsibility should the breaches occur.
You must notify the users and the supervisory authorities within 72 hours, but preferably sooner. Reporting is not required only if it is so minor that there is virtually no risk to the individuals whose data had been lost.
Non-EU companies should make sure that their EU subsidiaries understand the need for a swift response and coordination with the authorities. Note that such reporting has not been mandatory in most EU countries, so the workers in those subsidiaries might not be aware of the requirement.
9. Appoint an EU Representative
Companies that have to abide by the GDPR must appoint an official representative within the EU. The representative serves as the point of contact between your non-EU company and the European supervisory authorities.
The representative also handles user queries and complaints. EU users will be able to exercise their privacy rights through this representative. Technically there is no requirement to situate your representative in a particular EU country, but our suggestion is to appoint one in the country where you are doing most of your economic activities.
The representative operates under your directions, but they need not be passive figureheads, as we expect them to end up most of the time. Instead, a good representative will be able to provide advice to their offshore headquarters and actively cooperate with ensuring GDPR compliance.
Ensuring compliance will be a difficult job, and handling all this data will require significant investments. However, it will certainly be worth it in the end, since the fines are simply too high to safely ignore.