What GDPR Means for U.S. Brands
Whether you're a Data Controller or a Data Processor (or both)
According to Article 4 of Regulation, these two roles are distinguished as follows:
A Data Controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” A Data Processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This marks a departure from previous European data law, which affected only controllers, not processors working for them.
If it's not obvious, brands offering products or services are likely going to find themselves under “other body” in those definitions.
Whether you need to designate a Data Protection Officer
Some controllers — and processors — will be required to designate a Data Protection Officer (DPO). In addition to being mandatory for public authorities, any company involved in “regular and systematic monitoring of data subjects on a large scale,” or if its “core activities” involve large-scale processing of particularly sensitive data (such as data relating to someone's racial or ethnic origin, religious or political affiliation, health, sexual preference or criminal history) will need a DPO.
Again, this seems clearly to apply to any United States-based brand whose marketing or sales operations involve large scale processing of non-anonymized data, including information about European data subjects. The DPO can be a contractor, but must possess the requisite specialist knowledge. EU-issued guidelines recommend that the DPO be located in a members country and report directly to senior management.
Whether you can safeguard these additional data subject rights
According to Article 12 of the GDPR, the data subject also has other important rights, including:
- Access: The right, exercised at reasonable intervals, to know what personal data has been collected and how such data has been processed
- Accuracy: The right to restrict processing where data is inaccurate
- Consent: The data subject's “freely given” and “explicit” consent to the processing and storage of personal data must be sought “clear and plain language,” separate from other information. Significantly, consent may not be regarded as “freely given” where performance of a contract is made conditional on consent, where that consent is unnecessary to the performance of that contract. This has the potential to restrict much fishing for personal data in eCommerce contexts. (Also, while existing consents may be adequate, they should be audited to ensure they meet these new conditions.)
- Data Portability: The right to request and receive their personal data from a controller in a format which allows it easily to be transferred to another data controller.
- Erasure (right to be forgotten): The subject has the right to withdraw consent and ask for personal data to be “erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her…” (paragraph 65 of the preamble).
Other provisions you need to watch
There are many layers of detail beneath the complicated-enough terrain mapped above. For example, GDPR allows transfer of data across borders in various circumstances, including a finding that the destination territory can adequately protect the data.
Since the demise of the “safe harbor” agreement, it's not clear that the United States (or Canada) meets that standard, except partially. There is an opportunity to conduct legitimate intra-group data transfers under a system of Binding Corporate Rules, where members of joint commercial enterprises confer legally enforceable rights on data subjects to have their data protected when transferred internationally.
Still not convinced GDPR will change the way your brand does business? Remember, we are not lawyers. We can lay the information out to the best of our ability, but if you think you might be affected, it's time (past time, actually), to seek expert advice.