1. About 100 days from now, the GDPR takes effect on May 25, 2018
2. Applies to all European Union subjects (citizens) regardless of geographic location and it looks as though the UK is going to opt-in
3. EU Regulations treat consumer data the same as employee data
4. Covers “collectors” and “processors” of personally identifiable information (PII)
5. Protections apply to any information (data) traceable to an individual, so that means name, address, date of birth, IP address, gender, sexual orientation, criminal history, etc.
6. Requirements similar to HIPAA, but not limited to personal health information (PHI), generally reserved for large collectors and processors, those with at least 250 employees
7. Be careful, Article 30 exempts enterprises with less than 250 employees so long as the “processing is not occasional” among other things
8. If sales of goods or services are targeted to EU subjects, then the seller must have specific reason for collecting the data, articulated clearly to the individual who must knowingly opt-in to each general use category
9. If covered by the GDPR, enterprise must locate, identify, and track all data
10. If covered by the GDPR, the enterprise must maintain detailed records of security measures and processes to maintain privacy and remove data from the system for various reasons including the “right to be forgotten”.
For those who understand and apply HIPAA, the requirements in the GDPR are very similar for large collectors and processors of personal data traceable to an EU citizen, which includes requirements for an assessment of the data collected and processed by any enterprise and documented procedures to manage and track all data protection measures.
A data processor is an enterprise that processes data for another and a controller is an enterprise that obtains or collects the data. What data? Personally identifying information. Anything that can be traced back to an EU citizen. Like what? The usual, name address, social, date of birth, but also race, gender, criminal history, IP addresses. For what? That’s part of the regulations. An enterprise must identify why it is collecting the data and must get individualized consent to obtain and retain it. And, those boilerplate catch-all “I Agree” buttons will not work. The enterprise must clearly identify each discrete category of data collected or processed and obtain consent for each one. Additionally, the enterprise must have policies and procedures for removing “old” data and correcting the data upon request.
Although the requirements seem onerous, it may be advantageous to advertise GDPR compliance to prospective customers who are becoming more concerned about data collection and protection. Try not to weep because we can help you get through it. Just give us a call!
Julie-Karel (JK) Elkin focuses on IT and Health Data, Litigation (Business and Commercial, Insurance Coverage and Bad Faith) and Products Liability law in the Nashville office.
This blog contains general information about legal matters. The information is not advice, and should not be treated as such. Communication of information by, in, to or through this blog and your receipt or use of it: (1) is not provided in the course of and does not create or constitute an attorney-client relationship; (2) is not intended to convey or constitute legal advice; and (3) is not a substitute for obtaining legal advice from a qualified attorney.