South Carolina Lawyers are YOU Ready for the GDPR?

With the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) set to take effect on May 25, 2018, the time is now(yesterday really) to consider how this law will affect many aspects of your relationship with your clients and how your practice operates.  Before discussing the major topics within the GDPR, it is important to define several terms that exists within the GDPR Framework. (Note: Article References are to the GDPR text[1])

Key Terms
Controller – As defined in Article 4(7) and described further in Article 26 a “Controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 
Data Subject – For the purpose of discussing the GDPR, a “Data Subject” is an individual that is a citizen of the EU, or that resides in an EU Member State.
Processor – As defined in Article 4(8) and described further in Article 28 a “Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.  
Personal Data -- for purposes of the GDPR means any information relating to an identified or identifiable natural person.  Examples of such identifiable information includes: Name, ID Number, location data, an online ID/Handle, physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Third Party – As defined in Article 4(10) a “Third Party” is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

What is the GDPR?
The GDPR is a regulation in EU law that governs the personal data and information of EU citizens and residents. 

Who does the GDPR apply to?
The GDPR applies to:
  1. Organizations (both for-profit and non-profit) that process personal data in any capacity with one of its branches established in the EU, regardless of where the data is processed, 
  2. Organizations established outside of the EU that offer goods and/or services within the EU regardless of price or lack thereof, or that monitor the behavior of EU citizens or those residing in the EU.
By contrast, the regulation does not apply to an organization that provides services to those outside of the EU that doesn’t specifically target citizens of the EU or those residing in the EU.  

EU Nations are:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.

There are four key changes that organizations subject to the GDPR need to be aware of:

1)    Increased Territorial Scope.  The GDPR greatly expands the scope of whom is responsible for data privacy protections. 

2)    Penalties.  Organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater.  Although there is a tiered approach to the allocation of fines (Eg. 2% for an organization not maintaining proper records or notifying a supervising authority of a data breach or issuance of a warning or increased scrutiny for instances of minor non-compliance) the exposure to liability is momentous for organizations under the regulation’s jurisdiction.

3)    Consent. Lengthy disclaimers are not permissibleunder the GDPR. Qualifying disclaimers from organizations must:
i)              State the purpose for the data collection,
ii)             Be clear and distinguishable from other matters,
iii)           Be written in plain discernable language, and 
iv)            Provide a method of withdrawing this consent easily.

4)    Data Subject’s Rights
a.    Breach Notification.  Data breaches that may “result in a risk for the rights and freedoms of individuals” must be reported within 72 hoursof becoming aware of the breach.  Those affected by such breaches must be notified without “undue delay”.

b.    Right to Access.  This right enables Data Subjects to ask a Controller; i) if their data is being processed, ii) where their data is being processed, and iii) for what purpose is their data being processed.  Furthermore, Controllers are required to provide a copy of the personal data, free of charge, in an electronic format.

c.    Right to be Forgotten.  Also known as Data Erasure, this right entitles Data Subjects to require Controllers to erase their personal data, cease further dissemination of the data, and potentially to have Third Parties halt processing their data.  Typically, two conditions must apply for a Data Subject to demand Data Erasure: 1) the data maintained is no longer relevant to the reason it was originally processed, and 2) withdrawal of Consent by the Data Subject.  For a more detailed explanation, please see Article 17 of the GDPR.

d.    Data Portability.  Data Subjects are entitled to receive from Controllers personal data concerning them, which they have previously provided in a common use and machine-readable format and have the Data Subject maintains the right to transmit that data to another Controller.

e.    Privacy by Design.  The requirement that Controllers, in designing systems that could intake personal data, design such systems to be GDPR compliant as described by Article 25.  Furthermore, Article 23 requires that Controllers onlyhold the data absolutely necessary for the completion of its duties, as well as limit the access to personal data to those who require it in order to act out the processing.

f.     Data Protection Officers(“DPO”).  Because of the increased internal record keeping requirements, DPO appointment is mandatory only for those Controllers and Processors whose core activitiesconsist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.  Additionally, DPOs;

                                               i.     Must be appointed on the basis of professional qualities, particularly expert knowledge on data protection law and practices,
                                             ii.     May be a staff member or external service provider,
                                            iii.     Contact details must be provided for the relevant Data Processing Authority as stated by Article 51 of the GDPR,
                                            iv.     Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge,
                                              v.     Must report directly to the highest level of management, and, 
                                            vi.     Must not carry out any other task that could result in a conflict of interest.

What does all this mean for South Carolina lawyers?
By now it should be clear that the landscape for cultivation of Personal Data and maintenance of that data will never be the same.  With the GDPR the EU is taking a clear stand in the discussion about how data is collected and used and providing heavy punitive repercussions for non-compliance.  

Organizations, both those for profit and non-profit, with any connection to any EU member State, either through its membership, or how it operates, should immediately seek counsel to ensure compliance with the GDPR and avoid catastrophic exposure to risk and liability.  The biggest threat is realized by non-obvious organizations that fall under the GDPR’s jurisdiction.  South Carolina-based  schools, law firms, banks, alumni organizations, fraternities & sororities, professional or industry organizations, real estate agents, and goods manufactures (just to name a few) all need to ensure that they are compliant with the GDPR requirements as soon as possible.
EU Data Protection Reform: ensuring its enforcement, European Commision Fact Sheet, January 2018. (Accessed April 26, 2018.)
Christopher Campbell is an associate at Willoughby & Hoefer, P.A. His practice areas include administrative law, business law, litigation, and international commercial arbitration.
[1]Full Text of GDPR: https://gdpr-info.eu

Comments

Popular posts from this blog

Young Lawyer Spotlight of Andrew Walden

Young Lawyer Spotlight: Jeremy Summerlin

Young Lawyer Spotlight: Thomas Scott