What Software Companies Need to Know about the EU General Data Protection Regulation

If your business is in the software industry and you are doing any business in Europe, you should be aware of the EU General Data Protection Regulation (“GDPR”), as it will apply to your business when it goes into effect on May 25, 2018.  You also may want to consider pursuing Privacy Shield certification before the GDPR goes into effect.

What exactly is the GDPR? This is the law passed by the European Parliament in 2016 which changes the laws relating to data privacy regarding EU citizens. Attached is a copy of the full text of the GDPR.

The GDPR will apply to any business processing the personal data of anyone residing in the European Union, regardless of the location of the business. Article 3 of the GDPR provides:

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is               required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Article 4 of the GDPR defines “personal data” to constitute:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Article 4 of the GDPR defines “processing” to constitute:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Some highlights from the legislation include as follows:

Article 5 of the GDPR provides guidelines on how data should be processed, which includes keeping it in a form “which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Article 7 of the GDPR establishes the requirements for procuring consent to data processing, which include that “the request for consent shall be presented in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language” and that the “data subject shall have the right to withdraw his or her consent at any time.  Article 8 of the of the GDPR sets forth the conditions for procuring consent from children, including “where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.”

Article 9 of the GDPR prohibits the processing of certain kinds of data:”personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”   Article 10 of the GDPR adds to this list the processing of data about criminal convictions unless processed by an official authority.

Article 17 of the GDPR codifies the so-called “right to be forgotten.”

Article 27 of the GDPR requires companies processing data of EU residents outside the European Union to designate a representative of the controller or processor in the European Union, except in the following circumstances:

  1. processing. . . .is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

  2. [where processing is by] a public authority or body.

Article 33 of the GDPR requires a data breach notification to be provided to the appropriate supervisory authority within 72 hours of becoming aware of a data breach.

Article 46 of the GDPR limits the transfer of personal data to a third party country or international organization only if “appropriate” safeguards are in place and effective legal remedies are in place which may include “contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation.”

If your software company is doing business in Europe and has not already pursued Privacy Shield certification, you may want to consider doing this as soon as possible.  The Privacy Shield Frameworks were recently designed by the U.S. Department of Commerce in conjunction with the European Commission and Swiss Administration in order to provide companies with a “mechanism” to comply with European Union and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States.  Some of the key requirements of Privacy Shield Framework are listed on this linked web page.  As part of the process, your software company will need to update its existing privacy policy to include language required by the Privacy Shield Framework, which is set forth at the the https://www.privacyshield.gov website.  The U.S. Department of Commerce has provided a webpage listing the benefits of participation to U.S. companies.  Your company may find going forward that Privacy Shield certification is required by prospective European customers, so simply being prepared to do business with them may be an additional benefit of the Privacy Shield certification process.

The bottom line is that software companies need to spend some time familiarizing themselves with the GDPR and consider how their business may be impacted by the legislation before it goes into effect in May, 2018.   If your company does business in Europe or hopes to do business in Europe in the foreseeable future, this privacy legislation will impact future deals with potential European customers and will certainly affect what you can do with personal data obtained through such relationships going forward.