As concerns about cybersecurity weigh increasingly heavily on manufacturers and other companies around the United States, the European Union has initiated expansive new efforts to protect its citizens from cybersecurity risks. The EU’s initiative — called the General Data Protection Regulation (GDPR) — might ordinarily be viewed with little interest from American companies. However, as a result of the reach of the GDPR, millions of manufacturers and other American companies may unknowingly be at risk of violating the new law, and thus subject to significant monetary penalties. The good news is that, whatever your level of interaction with companies and/or individuals in the EU, there are measures that you can take to comply with the GDPR.
On May 25, 2018, the GDPR will go into effect. The GDPR grants the EU the power to investigate companies’ compliance with the GDPR, issue warnings, and impose administrative fines on entities that violate the GDPR. Additionally, individuals — or “Data Subjects,” as they are called by the GDPR — whose information may have been compromised as a result of any such violations may lodge complaints or seek a judicial remedy for entities’ violation of the GDPR. The GDPR authorizes fines of up to €20 million (approx. $25 million) or 4 percent of a company’s global revenue, whichever is greater.
At the most basic level, any company in the world that processes, collects and/or stores the “Personal Data” of any individual in the EU will be subject to the GDPR. The GDPR broadly defines the term “Personal Data,” and thereby increases the number of entities that will be considered “processors” of such data. Personal data includes obvious identifiers, such as an individual’s name, photos, email address, bank details, and medical information. However, many less-known identifiers, such as login information, VINs, social media posts and network addresses are now included in the GDPR’s definition of “Personal Data.” Therefore, if any of this information relating to a resident of the EU is maintained by your company, you may be subject to the GDPR.
At a minimum, thousands of U.S. companies will become subject to the GDPR by virtue of soliciting and collecting the information of customers in the EU, and this includes manufacturing companies that buy or sell practically anything from or to anyone within the EU.
U.S. companies that are subject to the GDPR should take immediate steps to make sure they will comply with the new law. While the GDPR sets forth a long and complex list of requirements, a few simple actions can go a long way in ensuring GDPR compliance. Instead of considering all of the GDPR compliance requirements, U.S. companies would be well-served to consider some of the more fundamental aspects of the GDPR when deciding how to comply with the law.
No. 1 - Review Your Document Retention Policies.
U.S. entities should review their data retention policies. Although recent high-profile data breaches have caused many companies to improve their data retention policies, the GDPR includes requirements that are more intensive than current best practices in the U.S. As such, companies should understand exactly what data they are retaining and/or destroying, as well as when and why they are doing so.
No. 2 - Be Aware of the Expanded Scope of “Personal Data.”
The GDPR’s definition of “Personal Data” greatly expands what is considered personal information, and it should give even the most vigilant data hawks cause for concern. For instance, the GDPR suggests that website “cookies,” the bits of information that are collected to preserve website users’ login information, is “Personal Data.” All manufacturing companies should take a long look at the information they are gathering, and seriously review whether or not they are already collecting Personal Data from Data Subjects in the EU.
No. 3 - Revise Your Outward-Facing Privacy Policies and Notices.
The GDPR creates a whole new set of requirements to lawfully obtain individuals’ Personal Data, including notice requirements about what information will be collected and how that information will be handled. Manufacturers should consider how the GDPR’s consent requirements will affect how they interface with consumers.
No. 4 - Ensure That Your Third-Party Providers are Complying with the GDPR.
The GDPR will make manufacturers and other companies in the U.S. more accountable to their third-party data handlers. Therefore, you should review all third-party vendors your company deals with to make sure that they are adequately protecting your customers’ information.
No. 5 - Educate Your Upper Management.
Compliance starts at the top, so directors and managers themselves should undertake to conduct a review of their company’s cybersecurity policies and procedures. Given the recent attention to and increased understanding of the harmful effects of data breaches, directors now almost certainly have a duty to ensure that their companies are prioritizing data security, and they may face personal liability if they fail to do so.
No. 6 - Review Your Existing Cybersecurity and Data Privacy Policies (and Add Some New Ones).
Most manufacturers understand the increased scrutiny into their cybersecurity and data privacy policies, and many have already taken steps to improve such policies. GDPR or not, every single company that deals with individuals’ data should have data security policies and procedures in place.
No. 7 - Think About Your Customers.
Of all the GDPR rules, the requirement to obtain consent to collect data is probably the most unique and hardest to address. To make matters worse, while the GDPR creates the arduous requirement of obtaining consent, the law is short on just how a company can obtain such consent. Manufacturers should begin considering the method they will use to obtain consent from customers in the EU to collect their information. Crafting proper consent procedures will likely be time consuming, so companies should not delay in considering how to comply with the new law.
When the GDPR goes into effect in May, it will be a whole new world for thousands of companies, and millions of individuals, both in the U.S. and in the the EU. By taking certain protective measures, manufacturers can make sure to the greatest extent possible that they stay on the right side of the new law.
Dan Messeloff is a partner in the Privacy and Data Security practice group at Tucker Ellis LLP.