The European Union (EU) will put the General Data Protection Directive (GDPR) into effect on May 25th, and with it some potentially difficult and onerous requirements. Here are a few potential issues with which companies worldwide will have to contend:
- Article 7(1) of the GDPR states, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” That means that anyone who signs up for a mailing list, a webinar, an email newsletter or any other type of communication from you will need to be fully informed of the “processing” that their data will undergo, and you will need to keep an accurate record of each instance of consent that has been granted. For example, someone who signs up to be on your corporate emailing list is granting consent for their information to be used strictly for the purpose of receiving email from you – you need to maintain a record of that consent. If they sign up for a webinar that you have announced to them in an email, they are granting consent to be contacted with regard to that specific webinar – you need to maintain a record of that, as well.
Our recommendation: excellent and up-to-date recordkeeping is going to be of paramount importance in order to remain compliant with the GDPR. That means good archiving of data subjects’ information, including the ability to search for and retrieve this information quickly and completely, and the ability to defensibly delete this information when needed.
- Article 22(1) requires that a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…” and that includes their “location or movements” (Recital 71). What that likely means is that there is a prohibition on determining whether or not someone is an EU “data subject” based on things like their IP address when completing a form on your web site, for example. So, if someone who lives in the United States is on your corporate mailing list, where their information is not subject to GDPR compliance, but later moves to an EU country, where their data is now subject to the GDPR, is the onus on you to know they’ve moved? According to a strict interpretation of Recital 71, you’re not allowed to collect their IP address when they interact with you, and so you may not be able to determine that they have moved.
Our recommendation: act as if everyone is subject to compliance with the GDPR and process information accordingly.
- Articles 12 through 23 of the GDPR are the “Rights of the data subject”, which include things like their right to access and have corrected any information that a data processor or controller has on them, and their right to have that information deleted – their “right to be forgotten” – albeit with certain limitations. There are some serious implications for data controllers and processors in these requirements:
You need to know where all of your data is located. Data subjects’ information that might be stored on a departmental file share to which IT or legal does not have ready access, information stored in employees’ personal Dropbox accounts, or information stored on ex-employees’ personal devices could make it difficult or impossible to respond adequately to a data subject’s request for information or their right to have this data corrected or expunged.
Even with access to all of your data, an organization with malicious intent could organize a group of a few thousand people to request their data simultaneously. Given that the GDPR gives data processors and controllers only one month to comply with these requests (up to three months in some situations), an organization with inadequate content management systems in place could easily run afoul of the GDPR.
Our recommendation: conduct a thorough data inventory to determine where all of your data is located, give IT access to it, and implement a robust and scalable archiving capability that will enable all corporate data to be searched and produced quickly and with a minimum of effort.
Many thanks to Anne P. Mitchell, an Internet law and policy attorney and legislative consultant, for her input to this post. Her firm is offering consulting on the legal aspects of the GDPR – you can contact her here.
For more information on the GDPR, you can download our most recent white paper here.