By now, most US businesses and organizations have heard of General Data Protection Regulation, or GDPR. This EU regulation is drawing attention in the United States because it expands the territorial scope of EU data protection laws, significantly increases the penalties for non-compliance and is enshrouded with uncertainty.
GDPR may apply to US businesses and organizations with no physical presence in the EU, and it introduces extremely high fines. It also introduces vague requirements and is unclear of how those will be enforced. Whether you are a US cloud-based service provider or have employees across the EU, you need to understand GDPR enough to know when it affects your business.
You must understand your business well enough to answer this question: is your business a controller, processor or both? The answer to this question defines what regulatory duties you have under GDPR. Simply put, a controller is the person who owns or functionally controls the personal data. Processors take direction from controllers and do not have the right to determine the purpose for which personal data will be used.
GDPR introduces new controller obligations that merit special attention. Of particular concern are GDPR's breach notice, vendor management and privacy by design and default requirements.
Breach Notice: Unlike US state requirements, which generally only apply to unauthorized access or acquisition, GDPR broadens the definition of a breach to include alteration, destruction or loss of personal information.
Vendor Management: Article 28 requires that controllers only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures. It further provides that any processing must be governed by a contract, and such contract must obligate the processor to:
* Process personal data only on documented instructions from the controller
* Ensure confidentiality
* Implement appropriate security measures
* Assist the controller with its obligations to comply with certain provisions of GDPR
* Delete or return personal information upon request
* Provide information necessary to demonstrate compliance with its obligations
In some cases, vendors will be unfamiliar with GDPR. Businesses will need to carefully determine which contracts need to be updated and be prepared to explain to vendors the reason why.
Businesses with a high volume of vendor contracts should start with high-risk vendors...