What GDPR Means for U.S. Brands

If you work with data, or if data is important to your brand, you’ve no doubt heard about GDPR. We hope so, anyway. The General Data Protection Regulation (full text here) is a piece of legislation which will come into force across the European Union on May 25, 2018. But you shouldn’t turn your head the other way even if you’re an American company. GDPR will affect your brand if your marketing and eCommerce operations reach a European audience.

For companies who operate in European markets or who have actual or potential customers within those countries — even if your physical operations take place in the United States — strict compliance with GDPR is mandatory, and the penalty for failing to comply is a fine. A major fine. We’re talking about a 4% of your global annual revenue (or up to €20 million) kind of fine.

In short, if you process data about individuals in the context of selling goods or services to European citizens in any EU country, then you will need to comply with GDPR.

But what exactly does GDPR require, and how must you comply?

At the bare minimum, the GDPR was drafted with the intended purposes of protecting all non-anonymized personal data (or personally identifiable information: PII). And any company (or organization) that stores or processes personal information about “natural persons” (individual human beings) who are “data subjects” under the Regulation — defined as European citizens who reside in an EU state — must comply.

The basics of GDPR

In its long and detailed text, the GDPR defines what types of personal data are at stake here:

  • Name, address, and phone number
  • IP address and cookies
  • Racial identity
  • Religious and religious affiliation
  • Health and genetic data
  • Biometric data
  • Sexual orientation and gender preference

Digital marketers: Notice the first two entries on that list, and then consider the following.

Storing or processing of personal data can be undertaken only if:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
  • Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

That’s a lot of legalese, I know. So to put it in layman’s terms: You can’t just go ahead and profit from personal data any more, if the data relates to European data subjects. Maybe we should just quote paragraph 70 of the preamble to underline that point — emphasis added:

“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”

And to make matters even more difficult for multinational companies, there is also a “right to be forgotten.” More about that below.

Of course, on the one hand, this imperative to protect personally identifiable information about European subjects threatens business strategies, practices, and processes worldwide, especially cloud, SaaS, and mobile-driven enterprises. In order to cope with the GDPR, brands with international operations have been developing alternative and compliant data-storage centers within the EU. According to a report released by PwC, 64% of executives at U.S. corporations reported that “their top strategy for reducing GDPR exposure is centralization of data centers in Europe. Just over half (54%) said they plan to de-identify [i.e. anonymize] European personal data to reduce exposure.”

“The threats of high fines and impactful injunctions, however, clearly have many others reconsidering the importance of the European market,” the study says. In fact, 32% of respondents plan to reduce their presence in Europe, while 26% intend to exit the EU market altogether.

That’s a high percentage of lost business, but if you’re a company who wants to navigate the terrain and remain in the EU, here are a few things you need to think about.

Whether you’re a Data Controller or a Data Processor (or both)

According to Article 4 of Regulation, these two roles are distinguished as follows:

A Data Controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” A Data Processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” This marks a departure from previous European data law, which affected only controllers, not processors working for them.

If it’s not obvious, brands offering products or services are likely going to find themselves under “other body” in those definitions.

Whether you need to designate a Data Protection Officer

Some controllers — and processors — will be required to designate a Data Protection Officer (DPO). In addition to being mandatory for public authorities, any company involved in “regular and systematic monitoring of data subjects on a large scale,” or if its “core activities” involve large-scale processing of particularly sensitive data (such as data relating to someone’s racial or ethnic origin, religious or political affiliation, health, sexual preference or criminal history) will need a DPO.

Again, this seems clearly to apply to any United States-based brand whose marketing or sales operations  involve large scale processing of non-anonymized data, including information about European data subjects. The DPO can be a contractor, but must possess the requisite specialist knowledge.  EU-issued guidelines recommend that the DPO be located in a members country and report directly to senior management.

Whether you can safeguard these additional data subject rights

According to Article 12 of the GDPR, the data subject also has other important rights, including:

  • Access:  The right, exercised at reasonable intervals, to know what personal data has been collected and how such data has been processed
  • Accuracy: The right to restrict processing where data is inaccurate
  • Consent:  The data subject’s “freely given” and “explicit” consent to the processing and storage of personal data must be sought “clear and plain language,” separate from other information.  Significantly, consent may not be regarded as “freely given”  where performance of a contract is made conditional on consent, where that consent is unnecessary to the performance of that contract. This has the potential to restrict much fishing for personal data in eCommerce contexts. (Also, while existing consents may be adequate, they should be audited to ensure they meet these new conditions.)
  • Data Portability: The right to  request and receive their personal data from a controller in a format which allows it easily to be transferred to another data controller.
  • Erasure (right to be forgotten): The subject has the right to withdraw consent and ask for personal data to be “erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her…” (paragraph 65 of the preamble).

Other provisions you need to watch

There are many layers of detail beneath the complicated-enough terrain mapped above. For example, GDPR allows transfer of data across borders in various circumstances, including a finding that the destination territory can adequately protect the data.

Since the demise of the “safe harbor” agreement, it’s not clear that the United States (or Canada) meets that standard, except partially. There is an opportunity to conduct legitimate intra-group data transfers under a system of Binding Corporate Rules, where members of joint commercial enterprises confer legally enforceable rights on data subjects to have their data protected when transferred internationally.

Still not convinced GDPR will change the way your brand does business? Remember, we are not lawyers. We can lay the information out to the best of our ability, but if you think you might be affected, it’s time (past time, actually), to seek expert advice.

Related Posts