The General Data Protection Regulation (GDPR) is a data privacy law in the EU (made law in April 2016) which has received a lot of recent attention in the United States, notably because the now two-year old law becomes enforceable on May 25th. Some US businesses might believe that European GDPR law doesn’t pertain to them, however they may find that GDPR affects them directly. Others businesses ask, how can EU enforce their law in the United States?
Below are some items to consider as we move toward the May 25 2018 deadline, when the law becomes enforceable.
- The GDPR can indeed affect businesses in the United States. If the business employs EU citizens, if it has any EU citizens’ personal data in its customer and marketing databases, or if it sells products or services to EU citizens, then the business must comply with GDPR.
- Any entity, such as a business process outsourcer (BPO) or managed service provider (MSP), that processes any information involving EU citizens, either for their own purpose or on behalf of the client they serve, is considered to be a Controller or Processor (or both) under GDPR and is affected by the full scope of GDPR.
For Example
If a business performs any processing of personal data of EU citizens, even when on behalf of its customer (such as a third-party payroll processing company serving its customer), then the payroll company is considered a “Processor” under GDPR. If the payroll processing company decides on its own, for its own purposes, to analyze individual salaries of global workforce individuals by location, education, sex, and age but does not first inform the EU citizen and obtain their expressed individual content ahead of this new purpose for processing, then the payroll company is violating GDPR. Think about that! There are many hundreds of examples where businesses leverage collected information for purposes other than the purpose for which it was originally collected or processed. GDPR prohibits this. Thus, when any business is not fully transparent to the affected EU data subjects about the specific purposes it intends to use their personal information, and fails to get their consent in advance for each and every use-case for processing EU citizens’ personal data, then that business is violating the law.
- The EU viewed US privacy law as being inadequate, especially the US Safe Harbor process. There now exists a Privacy Shield Framework between the US and EU, where it has produced stringent controls that must be met and verified. The US Department of Commerce is the body for sanctioning/fining US businesses that violate EU privacy data law. The following is the link to Department of Commerce Privacy Shield: https://www.commerce.gov/page/eu-us-privacy-shield
- Microsoft and Catapult Spyglass have both developed tools (including readiness assessment tools and best-practices) to assist clients in bringing their technologies and data storage into compliance with GDPR. Note, while neither Microsoft nor Catapult are law firms or legal consultants, and we cannot guarantee your compliance with GDPR (e.g., that’s on you, your legal and compliance teams to handle), we do offer sound experience, best-practices, and world-class solutions that can help align your technical environment to help meet these and other rigorous compliance requirements.
In coming weeks, we’ll be talking a great deal more about GDPR and the issues to be aware of as we all race toward the May 25 2018 deadline, when GDPR becomes enforceable.
Our Spyglass team has completely mapped out GDPR in our Compliance Framework in order to help clients navigate and comply, raising issues and gaps that they should be aware of. Spyglass is our IT security and compliance managed service which is designed to help clients map their existing IT security strategy with related technologies and best-practices to align with their regulatory requirements and standards, and remediate issues and gaps that may exist between compliance and technology environments, while simultaneously improving posture as well as user-adoption for security initiatives.
Until next time
Ed