The General Data Protection Regulation (GDPR) was passed by the EU in April, 2016, and goes into effect in May of 2018. It repealed and replaced the General Data Protection Directive (GDPD), which was previously the primary directive covering privacy across the EU. The GDPR is more specific in its requirements and definitions, leaving less room for interpretation when it comes to the directive, thereby simplifying overall compliance to the rule. Great Britain will enforce the GDPR despite the Brexit vote.
For a US company to fall under GDPR all they need to have is people on the ground in Europe. It does not matter what these people do, if someone is on payroll in Europe, the company falls under GDPR. Also GDPR defines “personal data” as IP addresses, names, and just about any information that may be personally identifiable for an EU citizen. U.S. companies are covered by Privacy Shield, but legal experts are unsure as to how long this will last in the face of the GDPR becoming law next year. For companies that store/process/transmit EU consumer data in an EU country (or Great Britain), planning for the GDPR is the primary objective.
Canadian government is unsure as to whether or not PIPEDA passes the equivalence test for the GDPR as it previously did with the GDPD. It sounds like they’re looking to alter PIDEDA to bring it into full compliance with the GDPR, which means that we might be asking these same privacy questions with U.S. firms storing/processing/transmitting data for Canadians.
Privacy Shield, and before that, Safe Harbor, is considered equivalent to the GDPD, so if you can prove compliance there, you are OK under the EU’s existing privacy laws. In terms of actual laws, US is not looking at passing anything that will afford similar privacy protections for our citizens. There are some differences between the Privacy Shield and the GDPR, one being the timeframe required to report a breach, which will need to be resolved.
The first priority for any U.S.-based organization that is only storing/processing/transmitting EU consumer data is to achieve compliance to Privacy Shield. It is only speculation as to what will come down the road once the GDPR goes into effect, and how that will change the existing Privacy Shield regulations. The EU is expecting full compliance with the GDPR, regardless of Privacy Shield, by May of 2018.
Is your company a data processor or data controller? Broadly, a controller outlines how and why the data is processed, and the processor actually does the processing. A processor has a number of legal obligations specific to how it stores/processes/transmits data, which is the meat of the GDPR. A controller has a responsibility to ensure that all of its processors are in compliance with the GDPR. From the GDPR - “Personal data means any information relating to an identified or identifiable natural person (‘data subject’).” It goes on to specify everything from a name to an identification number to an online identifier (which includes an IP address). While the definition is specific, the amount of data now considered to be personal is extremely broad, which means that organizations will have a difficult time excluding themselves from the compliance requirement.
While software and hardware can help organizations meet some of the requirements of the GDPR, they are not a silver bullet for GDPR compliance. A creation of GDPR-compliant privacy policies and standards, and performing a Privacy Impact Assessment, which are imperative to a company’s privacy and GDPR compliance requirements is a first step.