Key GDPR Terms U.S. Companies Need to Know

Nowadays, it is very hard to miss big titles in the media about the new myth called GDPR.

The aim of the GDPR (General Data Protection Regulation) is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world and it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. In addition, controller or processor not established in the EU, are to apply GDPR principles where the activities relate to offering goods or services to EU citizens and the monitoring of behavior that takes place within the EU.

For small and medium sized-business across Europe GDPR will be the biggest challenge in next year.  52 percent of EU businesses don't know what the impact of GDPR on their organization will be. The second stakeholder that will be the most affected by GDPR are U.S. companies that are investing in Europe. PwC's performed survey among 200 US companies on GDPR preparedness, 54 percent reported that GDPR readiness is the highest priority on their data-privacy and security agenda.

In addition we present the, "Six Key GDPR Terms U.S. Companies Need to Know!"

1.   Data controller and processor outside the EU

GDPR defines two roles of stakeholders that are connected directly to the data processing activities - controller and processor. Controller is a legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data, and the processor processes personal data on behalf of the controller.

Any organization that controls or processes data on people living in the EU - even if organization is not located in the EU - must comply with GDPR principles. GDPR should be applied if the processing activities are related to the supply of goods or services to such respondents, whether or not they include payment activity. An example is US company that has the intent to offer goods to respondents in EU on a web page that uses language and currency generally used in a EU member state, with the option of ordering goods and services in that other language.

On the other side, if company activities involves monitoring the behavior of EU respondents, if their behavior takes place within the EU, the company should also comply with GDPR. For example, any marketing or selling company that monitors individuals' behavior on the Internet (web page), among others use personal data processing techniques that consist of making an individual's profile, especially for making decisions related to it or for the purpose of analyzing or anticipating his personal preferences, behaviors and attitudes.

If the controller or processor who does not have a business establishment in the EU, processes the personal data of the respondents from the EU, it should appoint a representative, unless the processing takes place occasionally, does not include extensive processing of special categories of personal data. The representative should act on behalf of the controller or processor and may address any supervisory body.  

2. Consent

The greatest novelty introduced by GDPR is consent. Consent is an evidence that respondent agrees with data processing activities. Consent should be given by a clear, positive action expressing the voluntary, special, informed and unambiguous consent of the respondent to the processing of personal data relating to him/her. Consent should cover all processing activities carried out for the same purpose or when processing has multiple purposes, the consent should be given to all of them.

Consent could be written, electronic or oral statement. This could include markup field marking when visiting web sites, selecting technical information service providers' settings or other statements or behaviors that clearly indicate in this context that the respondent accepts the proposed processing of his/her personal data. If the processing is based on the respondent's consent, the processor should be able to prove that the respondent has given the consent.

The challenge for U.S. companies is respondent data discovery and general data inventory. There should be clear what personal data the company is collecting, in which manner and form. Only when the data inventory is defined, the transparent, informed and clear consent statement can be produced.

3. Transparency principle

It should be transparent how personal data related to respondents is collected, used, displayed or otherwise processed, as well as the extent to which these personal data will be processed. The principle of transparency requires that any information and communication relating to the processing is easily accessible and understandable and that a clear and simple language is used.

This principle applies in particular to information about the identity of the controller or processor. Respondents should be familiar with the risks, rules, safeguards, and rights regarding processing of personal data and the way in which their processing rights are met. Such information could also be provided in electronic form, for example on a web site. GDPR gap assessment performed by US. company should therefore cover questions about privacy policy statements, information security enhancement, third-party risk management, binding corporate rules end etc. US companies can use certification mechanisms to inform respondents about European privacy protection regulation appliances such EU-US Privacy Shield certification (although Privacy shield is not fully compatible with GDPR).

4. The right to “data portability” and “to be forgotten”

GDPR strengthens the respondents rights concerning to the personal data protection, and several rights are introduced. But, “the right to data portability” and “the right to be forgotten” are the most challenged one regarding to available technology and implementation costs.

Each respondent should have a right to know and receive information about the purposes of processing his/her personal data, if possible and for which period personal data is processed, personal data recipients, the logic of automatic processing of personal data and the consequences of such processing, at least when it is based on making a profile.

The respondent has the right to receive the personal information concerning to him and which he has provided to the controller in a structured, commonly used and machine-readable format and is entitled to transfer this data to the other controller.  

Respondents should be entitled to ask collector to delete his/her personal data and no longer handle them if this personal data is no longer needed with respect to the purpose for which it was collected or otherwise processed. The right to be forgotten on Internet can be achieved when controller who published the personal information is obliged to delete all links to these personal data or copies or replicas of these personal data.

5. Privacy risk analysis

The controller is to be responsible for conducting a privacy impact assessment, in particular to assess the source, nature and severity of that risk. If the processing procedures involve high risk that the controller cannot reduce by appropriate measures (owing to technology and implementation costs), consultation with the supervisory body should be made before processing.

The risk of individuals' rights may arise from the processing of personal data that could cause physical, material damage, especially if such processing can result in discrimination, identity theft or fraud, financial loss, loss of confidentiality of personal data protected by a business secret, unauthorized reverse pseudonymization process, or any other substantial economic or social harm. In order to demonstrate compliance with GDPR, the processor should introduce internal policies and implement measures that in particular meet the principles of technical data protection and integrated data protection.

Such measures could include a reduction in the amount of personal data processing, pseudonymization of personal data as soon as possible, transparency in terms of functions and processing of personal data, enabling the respondent to monitor data processing, enabling the processing manager to create and improve security features.

6. Data breach notification

As soon as the controller notes that there is a violation of personal data/data breach, it should inform the supervisory authority without unnecessary delay and, no later than 72 hours after knowledge of this personal data breach, unless the controller can demonstrate that the breach is unlikely to cause the risk of individuals' rights and freedoms. The controller should, without unnecessary delay, inform the data subject if the personal data breach is likely to cause a high risk to individuals' rights and freedoms so that he or she can take the necessary precautionary measures.