Your Data Just Got a Privacy Upgrade

Most of you likely noticed that on or about May 24th, you received a number of emails from websites you frequent or follow, informing you that the company’s privacy policy was changing. That is because on May 25, 2018, significant regulatory changes – one of the most sweeping in years – went into effect. That regulation was Europe’s General Data Protection Regulation (the “GDPR”). The regulation affects any company that might have or collect personal data from the European Union in its databases, imposing new obligations on companies marketing to, tracking, or handling the personal data of Europeans, whether or not the company is in the EU.

The GDPR requirements will force U.S. companies to change the way they process, store and protect the personal data of customers. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Such personal data must be portable from one company to another, and companies must erase a customer’s personal data upon request.

This erasure requirement is known as “the right to be forgotten.” There are some notable exceptions, such as when where there are legal requirements that a certain organization maintains certain data (i.e. HIPAA health record requirements).

Other changes include a broadening of what is deemed personally identifiable information. Companies will need to institute the same levels of protection for things like an individual’s IP address or cookie data as they do for names, addresses and social security numbers. The GDPR states that companies must provide a “reasonable” level of protection for personal data, yet it fails to state what constitutes “reasonable,” leaving much room for interpretation and, therefore, noncompliance issues.

The GDPR also places equal liability for non-compliance and/or breaches on data controllers (the organization that owns the data) and data processors (outside organizations that assist in managing that data). If your company appears to be in compliance, but uses a third party processor who is not, then you company is in violation of the GDPR. Any contracts with such third party processors should explicitly lay out the responsibilities of each party, and precisely define consistent processes for how the data is managed and protected, and how breaches are reported and handled.

In addition, the DGPR mandates a 72-hour reporting window, wherein companies must report any data breaches to supervisory authorities and the individuals affected by the breach within 72-hours of the breach being detected.

The GDPR not only outlines stricter parameters for collecting and using data, but it may have the secondary effect of altering the appeal of data as well. While until now the collection of data has largely been seen as an asset of a company, it may now be viewed more in the light of a liability. Companies may be more apt to limit what they collect so as to minimize their liability in how such data is handled.

These changes come at a time when consumer concerns over recent, some very publicized, data breaches is at an all-time high. With technology taking leaps and bounds, rather than baby steps, regulations in the U.S. and elsewhere will have to adapt in order to best protect its citizens and to preserve confidence in the companies we know and love, and, more importantly, to whom we give our money and private information.

Contact the attorneys at Khashayar Law Group and LOKK Legal for more information.

Khashayar Law Group
(760) 806-4388

LOKK Legal
(858) 472-9700