Everything you need to know about the GDPR and potential impacts on US organizations
May 2018 saw the implementation of the General Data Protection Regulation (GDPR), which revamped privacy laws within the European Union (EU). However, these laws are also applicable to businesses, organizations, and associations within the U.S. that may have customers, employees, or business partners in the EU.
Here's more about what the GDPR is and how it could affect your association.
What is GDPR?
The EU first enacted the GDPR in 2016, and it went into effect on May 25, 2018. The introduction of these new regulations created a lot of work for companies worldwide, sometimes even requiring new positions, such as hiring chief data officers to ensure compliance.
The GDPR revolves around personal customer data, aiming to keep it more secure and private. Key points out that the GDPR introduced include the following:
- Companies must allow customers to see and request data relating to them and give them the ability to delete it or amend it
- Data breaches must be reported within 72 hours
- Data policies must be transparent and visible
- Companies must follow privacy by design principles (which means data protection through technology design)
To put it simply, organizations must take greater care and have more diligence to receive consent to use customer data. The GDPR says that “processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.”
This has been shown to be especially complex for organizations such as hospitals, where sensitive medical records are handled.
Fines for failing to comply with the GDPR are high, which is one reason why there has been such a big focus on the new regulations over the past year. The maximum fine an entity could be charged is 4 percent of worldwide revenue or 20 million euros, whichever is higher.
Where to begin with your association
The GDPR doesn't affect U.S. associations that do not collect personal data of EU residents. It's important to note that the term data subjects is used in the GDPR to indicate those persons living in the EU. However, if an EU citizen is living in the U.S., for example, he or she is no longer under the GDPR and instead falls under American data protection laws. In this way, whether someone is a data subject under the GDPR depends on the person's current location.
However, associations may still be smart to ensure their data privacy practices are compliant. As the National Association of Realtors points out, reasons that U.S. associations may need to comply with the GDPR include the following:
- Personal data of EU residents, association members or not, may be collected or is planned to be collected
- Data from EU residents could be collected on the entity's website, using cookies or other online tracking tools
- An association may maintain records of current or former members who are EU residents
- Associations could interact with current EU residents and obtain personal data through sales or conferences
These are just several examples of why an association in the United States may need to comply with the GDPR. Thus, it's important for association managers to implement additional strategies for data privacy.
- Review data collection processes and inventory data
First, figure out exactly what kind of data the association has access to and where it's stored. Is everything online? Is it password protected? Do physical files have any security methods in place? Was consent obtained to gather the information?
In reviewing these processes, organizations may discover that they do not collect or maintain any data of any applicable EU residents. However, it's important to err on the side of caution with the GDPR.
- Implement a plan to receive consent
Personal data of data subjects include any information that could lead to the identification of the individual. When any personal data is involved in an interaction, consent is required for the organization to collect this data. The GDPR requires consent to be “freely given, specific, informed and unambiguous.” The individual must, then, provide explicit consent either through a statement or an action.
Over the last year, you've probably noticed many websites have added some type of consent button on their home page that alerts the customer that the website is collecting personal data. To proceed, the user must click “accept” or “I understand,” for instance. The intended purpose for collecting said data must also be made clear to the user or customer. This consent process must be followed before the personal data is collected, according to the GDPR.
For your association, it's smart to implement this disclosure and request for consent to protect the organization if it is interacting with and collecting personal data of those located in the EU, even if it's rare. Implement a checkbox that the user must click on the website, or ensure that affirmative consent is obtained in some way before collecting data in other ways.
- Hire an expert
If you're unsure whether you need to comply with the GDPR rules, it may be a good idea to consult with a legal professional. Because these data privacy laws are complex and extensive, it can be easy to make a misstep or fail to implement a consent-gathering procedure because you don't think it's applicable to your organization. But fines can be extremely expensive, so it's worth reviewing your data structure and setting up a plan that will keep your association protected.
To further discuss the GDPR and how it may affect your association, schedule a consultation with our real estate law firm. Our team of attorneys at PeytonBolin can ensure that all regulations are being followed and that you can set up a successful action plan for the future.