A significant legal enactment is taking place in Europe that will have far reaching consequences on the litigation and information governance practices of U.S. organizations. On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect and address the protection of personal data belonging to people who live in the European Union (EU).
In replacing the existing Data Protection Directive 95/46/EC (Directive), the GDPR will provide stronger safeguards for personal data (i.e., information that can be used to identify a natural person). Those safeguards will be strictly enforced by member state data protection authorities (DPAs), who will be authorized to impose stiff penalties for noncompliance. The GDPR protections will also apply beyond the borders of the EU, extending to organizations that have chosen to host personal information of EU data subjects in the United States or other countries.
Given the wide-ranging impact of the GDPR, clients and counsel should be aware of the nature, scope, and application of its requirements. Five of the most significant GDPR provisions are discussed below.
1. Application Beyond the EU
One of the most important aspects of the GDPR is the extraterritorial reach of its provisions. While the law clearly applies to organizations that process personal data within the EU, it also affects companies that elect to process (i.e., organize, collect, store, transmit, etc.) such data outside of the EU. As the GDPR portal explains, the law “applies to all companies processing the personal data of data subjects residing in the [EU]’ regardless of the company’s location.” This is a substantial change from how enterprises operated under the Directive where “territorial application” was considered “ambiguous.”
2. Additional Rights for EU Data Subjects
The GDPR also provides people living in the EU with various additional rights over their personal data. The first is the notion of express and intelligible consent to process personal data. Enterprises cannot simply bury a consent request in fine print and then bundle it in with several other matters in an omnibus employment agreement. Instead, consent must be “freely given . . . by a clear affirmative action” that demonstrates the data subject’s “agreement to the processing of personal data.” In addition, consent can be revoked at any time, a fact which must be communicated to the individual.
Data subjects will also have a right to access and take personal data that has been processed by an organization. Under these provisions, data subjects can find out whether personal data is being processed, along with the nature of the information and the purpose underlying the processing. They can also obtain upon request an electronic copy of their personal data and then share that information (i.e., data portability) with another company.
Data subjects may also seek the “erasure” of personal data under the so-called “right to be forgotten.” This right is qualified and subject to multiple conditions. Moreover, companies that have processed personal data must carefully balance various factors – including “the public interest in the availability of data” – before granting a data subject’s request to eliminate certain personal information.
3. Breach Notification
The GDPR includes a breach notification requirement. Under this provision, organizations must notify data protection authorities within 72 hours of a breach that is deemed to be a “risk for the rights and freedoms of individuals.” Others such as affected customers must be notified of such a breach “without undue delay.”
4. Data Protection Impact Assessment / Privacy by Design
Companies must also complete a “data protection impact assessment.” The impact assessment is designed to help them identify areas of risk, needed safeguards, and related measures to strengthen personal data protections. The data protection impact assessment is a particularly important step for organizations that are considering the use of new information systems. Under the “Privacy by Design” provision, organizations must consider the impact of such systems and their functionality on the processing of personal data. The GDPR directs companies to deploy technologies that both minimize the processing of personal data and limit the extent of its access to third parties.
5. Enhanced Penalties
The GDPR’s promise of stiffer penalties represents a significant change from the Directive. For the most serious offenses, companies can now be fined up to €20 million or up to 4% of their total annual revenue from the previous year, “whichever is greater.” Fines for lesser offenses could be the greater of €10 million or 2% of their total annual revenue from the previous year. Either way, these penalties are substantial and promise financial retribution for noncompliant organizations.
The Need for Actionable Measures
There are various other provisions within the GDPR – including requirements for cross-border data transfers and their interplay with the EU-U.S. Privacy Shield, the role of data protection officers, and the “one-stop shop” rule – that also merit careful attention from affected organizations. All of which spotlights the need, particularly in the U.S., for multinational companies to be prepared for the law’s implementation. Indeed, enterprises must take actionable measures to ensure they are in compliance with the GDPR on its effective date next year. We will detail some recommended guidelines for doing so in our next post on the GDPR.
 GDPR, Article 3.
 Id. at Article 4(1).
 Id. at Article 7.
 Despite these enhanced protections, organizations may still process personal data based on other lawful reasons including when “processing is necessary for the purposes of the legitimate interests” of the organization. GDPR, Article 6.
 Id. at Article 12, et seq.
 Id. at Article 17.
 Id. at Article 33(1).
 Id. at Article 35.
 Id. at Article 25.
 Id. at Article 83.