GDPR: What You Should Know

Editor's Note: On May 25, 2018, the EU General Data Protection Regulation (GDPR) will go into effect, impacting any organization that processes data from EU citizens. The following article is from Pillsbury Winthrop Shaw Pittman LLP, and is republished here with the firm’s permission. Read on to find out what GDPR could mean for your agency, as well as a link to a sample Privacy Notice template from Pillsbury Winthrop Shaw Pittman LLP.   
 

How will the new European Union (EU) data protection law affect U.S. not-for-profit organizations?

Not-for-profit organizations based in the U.S. can often handle large amounts of data which originates in the EU—for example, they may have employees in Europe or a large member database that includes Europeans. 

Not-for-profits may receive such data either directly from EU citizens or indirectly, including from affiliates or member organizations, acting as a “data controller” with respect to such data (having control over how data is used) or as a “data processor” (acting on the instruction of the party sharing the data). 

Unfortunately, being a not-for-profit does not exempt an organization from compliance, which is a common misconception.

The EU General Data Protection Regulation

On 25 May 2018, the EU General Data Protection Regulation 2016/679 (GDPR) will come into force and will apply to any organization, anywhere in the world, which processes the personal data of EU citizens.

As a result, not-for-profit organizations based in the United States that process EU personal data will be required to comply with the GDPR, even though they are based in the United States (or elsewhere outside Europe).

Why is this important?

A failure to comply could attract a fine of up to 20M euros from an EU regulator. Consequences for non-compliance are, therefore, severe.

What are the key changes for not-for-profit organizations?

Some of the key changes introduced by the GDPR include:

• Data Protection Officers (DPOs). In many circumstances, controllers and processors will need to appoint DPOs.
• Data processors. Where not-for-profit organizations act as a data processor they will have direct liability to EU regulators for the first time if they were to suffer a data breach. They will, therefore, need to audit the data they hold and identify where they are acting as a data processor, including taking steps to protect that data.
• Consent must be “explicit” for certain categories of data collected. Organizations will need to review how data is collected and ensure valid consents are obtained.
• Privacy policies. Public-facing privacy policies now need to be more detailed. For example, information needs to be given to individuals about their new enhanced rights to access data and have data about them permanently deleted. Internal policies and processes also need to be updated to handle such requests from individuals.
• International transfers. If U.S.-based not-for-profit organizations receive data from within the EU, they will need to consider how those exports/imports are “adequately safeguarded” from an EU perspective. Adequate safeguards need to be put in place with respect to such transfers (e.g., European Commission approved model contract clauses).
• Breach notification. New rules requiring data breach reporting within 72 hours (to EU regulators and individuals affected) were enacted through the GDPR. Internal policies and procedures need to be established or updated in order to maintain compliance.
• Service providers. Where organizations appoint third parties to carry out services on their behalf and data that originates in the EU is shared with those third parties, then the services contract must contain certain provisions in order to protect the data.

What key actions should be taken done now to prepare?

• Appoint a Data Processing Officer where required.
• Audit your Consents. Fresh, lawful consents to process data should be obtained where necessary.
• Review Privacy Notices and Policies. Outward-facing privacy policies should be updated to ensure compliance with GDPR.
• Audit imports of data from the EU. Imports of data should be audited to ensure adequate safeguards are in place.
• Prepare/Update your Data Security Breach Plan. Develop a data security breach plan if none is currently in place or update existing plans to reflect the new 72-hour reporting obligations.
• Set Up an Accountability Framework. Organizations are required to have a record of all data they process, so an essential step should be to “map” all data currently held by the organization.
• Review services contracts. Contracts should be updated to confirm they contain the appropriate data processing and protection clauses required by the GDPR.

A Note from Pillsbury, Plus Template for US/EU Privacy Notice

A fundamental requirement of the new EU General Data Protection Regulation 2016/679 (GDPR), is that your organization must be transparent about how it processes Personal Data. There are two elements to this requirement. 

First, your organization must understand what Personal Data it holds, where it came from, why you hold it and with whom you share it. In the past, many organizations have not had adequate oversight of their data processing activities and, as a result, will need to undertake a data-mapping exercise to better understand current processes. Certain organizations will also be required to keep up-to-date processing records detailing this information in order to respond to EU regulators, who may request this information without notice. 

Secondly, your organization must provide specific information to data subjects about how you process their Personal Data. This information is generally contained in a Privacy Notice or Privacy Policy which must be written in clear and plain language, and should appear in a prominent position on your website. The Privacy Notice should be used in conjunction with an internal Privacy Policy that details how employees should handle Personal Data, how employees should deal with requests from users to access their Personal Data, etc. 

This example Privacy Notice (available for download here, starting on page 2) can serve as a helpful starting point to satisfy the requirements of the GDPR and U.S. laws, but must be adapted to reflect how your organization specifically processes Personal Data. 

It is important to understand the definition of Personal Data under European law, which in some cases, may be broader than other definitions, such as “personal identifying information” (PII) or “non-public personal information.” The definition of Personal Data set out in this draft Privacy Notice mirrors the GDPR. 

The example provided in the link above, and below, includes drafting notes in gray boxes to help explain each section and identify further considerations for your organization. 

Download the full article and Privacy Notice template from Pillsbury Winthrop Shaw Pittman LLP here.