Countdown to EU Compliance: Tips to Navigate GDPR & Privacy Shield
This Question & Answer resource page is based on common questions received during our webinar Countdown to EU Compliance: Tips to Navigate GDPR & Privacy Shield. You can access the recording of this webinar here.
The following answers were provided by:
Isabelle Roccia - Senior Policy Adviser at the U.S. Foreign Commercial Service
Andrew Steele - International Trade Specialist at the U.S. Department of Commerce
To the best of our knowledge, the information contained herein is accurate. However, the U.S. Department of Commerce does not take responsibility for actions companies may take based on the information provided here. You should always conduct
your own due diligence and seek legal counsel before making decisions or taking actions in the regulatory, standards and commercial fields.
Q: We tokenize and encrypt data for our clients. Most of them are storing credit card numbers. We do not know what else they are storing. Would we need an EU Representative?
A: An organization under GDPR needs to appoint a representative if it has no physical presence in Europe. Article 27 (2) a. provides for an exemption for organization whose processing of personal data is (a.o.) occasional, does not include on a large-scale processing of sensitive data. This determination will have to be made separately for the organization and for its client (e.g. one may need a representative and not the other; one may actually need a DPO). See GDPR for complete language. Large-scale is not defined but examples of large-scale processing include processing of travel data of individuals using a city’s public transport system, processing of customer data in the regular course of business by an insurance company or a bank.
Q: The statement was made that HR Data means an organization's own data. However I have had my initial Privacy Shield application item challenged when I did not select HR data (we process HR data on behalf of other companies). There has been inconsistency among how HR data has been viewed. Some companies in my industry have been certified via PS without selecting HR data as required; others have been required. Please discuss how HR data is applied when it is being processed on behalf of another company.
A: The Privacy Shield consideration of HR data is as follows: "Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield." For more information, see, https://www.privacyshield.gov/article?id=9-Human-Resources-Data.
Q: We are a small business, < 250 employees, that provides "live chat". We do not focus on capturing personal data. For companies that do, we require a BAA as required by HIPAA. It appears our only risk area for GDPR is this type of data: "Web data such as location, IP address, cookie data and RFID tags”, and the only concern is that is "not occasional”. What will we be required to do?
A: The size of the company is irrelevant as GDPR does not create an exemption for SMEs <250 employees (aside from the processing record exemption) and potentially applies to companies of all sizes and sectors. For a company in scope, even if its core business is not the collection/processing of data, GDPR requirements still apply. In addition, the EU is currently reviewing its e-privacy legislation. This legislation (draft called e-privacy regulation) could apply to live chat services deemed to be electronic communication services. This legislation is not expected to be finalized until end 2018 but it is worth monitoring given the business of this company.
A: There is no silver bullet, privacy policies need to be tailored to each individual organization’s needs and we cannot provide legal advice. We can, however, refer you to our Resources page, which has some further information on the topic.
Q: If my organization is already an active participant listed on the Privacy Shield web site, are we considered compliant with all GDPR regulations?
A: No, Privacy Shield is a compliance program with regards to international personal data transfers. The GDPR contains numerous other requirements (regarding individuals rights, transparency, accountability, security, etc.) that are separate and for which the Privacy Shield is not a solution.
Q: I have communicated with many companies on GDPR. A large number of companies (suppliers/vendors/customers/partners) and I have been told many refuse to sign agreements associated with GDPR; especially those that might outline roles (controller/processor) that might increase their liability. How can a company who attempts this in good faith be held accountable in compliance?
A: Article 28 requires controllers to update all contractual agreements that fall under the remit of the GDPR to match this article's requirements for contractual language. This article sets a baseline of terms that should be in a contract but indeed does not exclude negotiation between business partners. Any controller or processor should refer to the language of the GDPR to ensure that the proposed language matches their requirements under GDPR.
Q: The statute does allow for the establishment of orgs that can perform "GDPR Certification" services, establish frameworks for GDPR compliance certification, etc. Are you aware of any developments there?
A: At the moment, ITA is aware of a few initiatives, in particular in the cloud computing space. These codes of conducts pre-date the GDPR but were drafted with a view to its implementation. Stakeholders anticipate more codes of conduct to be developed once the GDPR becomes applicable.
Does a US Company need to identify a DPO in every EU state/country or could one DPO be used for all of the EU states? And does the DPO need to reside in the EU?
First, a company needs to run an assessment of whether or not it actually must appoint a DPO. See DPA guidance here: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
The GDPR creates a one-stop-shop that will make it easier for companies to interact with their DPA and for DPAs to interact among themselves. Organizations will identify their lead DPA in a specific country and this DPA will be the liaison with all the other relevant DPAs. As such the company only needs one DPO (which can be one person or a team). There is no requirement for the DPO to be physically based in Europe; this a is business decision.
Q: Should a US based company retain a EU based law firm that is proficient in GDPR to guide the conext of the companies policy?
A: ITA recommends to seek legal counsel with EU privacy legislation expertise, whether based in Europe or elsewhere. Local bar associations can help identify law firms with suitable privacy practice in the U.S. For companies that wish to retain Europe-based law firms, the Commercial Service teams in embassies can assist.
Q: Is a representative in EU mandatory irrespective of size of business in EU?
A: Yes but article 27 (2) a. provides for an exemption if the processing is occasional, does not include, on a large-scale, processing of special categories of data (i.e. sensitive data). See GDPR for complete language. Large-scale is not defined but examples of large-scale processing include processing of travel data of individuals using a city’s public transport system, processing of customer data in the regular course of business by an insurance company or a bank.
Q: Is DPIA required to be done by a Data Processor?
A: The DPIA is the primary responsibility of the controller, per article 35 of the GDPR. Link to the DPA guidance document on DPIA: http://ec.europa.eu/newsroom/document.cfm?doc_id=47711
Q: Is a EU representative mandatory for a Data processor who is only processing data from EU data subjects?
A: An organization under GDPR needs to appoint a representative if it has no physical presence in Europe. Article 27 (2) a. provides for an exemption for organization whose processing of personal data is (a.o.) occasional, does not include on a large-scale processing of sensitive data. This determination will have to be made separately for the organization and for it client (e.g. one may a representative and not the other; one may actually need a DPO). See GDPR for complete language. Large-scale is not defined but examples of large-scale processing include processing of travel data of individuals using a city’s public transport system, processing of customer data in the regular course of business by an insurance company or a bank.
Q: Does a Data processor need to have a EU representative and a DPO?
A: The representative and the DPO are two distinct requirements. The former is largely determined by whether or not the company has a physical presence in the EU. The latter is determined by the core activities of the company.
An organization needs to appoint a representative if it has no physical presence in Europe. However Article 27 (2) a. provides for an exemption for organization whose processing of personal data is (a.o.) occasional, does not include on a large-scale processing of sensitive data. See GDPR for exact language.
The conditions of the mandatory appointment of the DPO are explained in article 37 and include large-scale processing of sensitive data. See also DPA guidance on DPO: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
(Large-scale is not defined but examples of large-scale processing include processing of travel data of individuals using a city’s public transport system, processing of customer data in the regular course of business by an insurance company or a bank.)
Q: A breach involves huge penalties. So Ability to detect a breach by use of technology or via a manual process is crucial. Any tips?
A: First, the threshold for a breach is very low. Referring to the DPAs guidance is essential to know what to notify and what not. See guidance on data breach here: http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49827
An example of loss of personal data can include where a device containing a copy of a controller’s customer database has been lost or stolen. A further example of loss may be where the only copy of a set of personal data has been encrypted by ransomware, or has been encrypted by the controller using a key that is no longer in its possession.
Regarding technology to be used, the GDPR mentions state-of-the-art technology but remains technology neutral. Companies can look at existing widely-accepted standards for additional guidance such as the NIST Framework or ISO 27001 but this is illustrative only as there is no official recognition by the GDPR.
Q: Most of what I see converged under GDPR seems to cover electronics communications. I’m at a B2B call center. Our lists, spreadsheets stored in a database, are either purchased or come from our clients (the norm being prospects, not business people with existing relationships). Can we call into European businesses and be compliant?
On a side note, I’M a DBA. When I first was asked to look into this, my first reply was ‘ask the corporate lawyers’. In your professional option, how important is getting people involved from our company who has actual legal expertise?
A: Electronic communications are also covered by the eprivacy directive (currently being revised under the name eprivacy regulation). It will be very important to monitor this piece of legislation in addition to implementing GDPR requirements as applicable.
Regarding the second aspect of the question: the GDPR compliance process indeed requires contributions from many teams in any organization: legal, finance, IT/IT security, HR, operations. Other teams such as products teams, marketing teams must also be involved.
Q: To what extent does a Company comply with GDPR if is is already ISO 27001 certified? I have heard there is about 90% to 95% overlap.
A: The Department of Commerce is not in a position to provide a definitive comparative analysis between GDPR and ISO 27001 at this stage. Regarding technology to be used, the GDPR mentions state-of-the-art technology but does not specify any further. Companies can look at existing widely-accepted standards for additional guidance such as the NIST Framework or ISO 27001 but this is illustrative only as there is no official recognition by the GDPR.
Q: Can you summarize the key differences in obligations of small companies (<250 employees) versus larger companies that process a lot of personal data?
A: The GDPR essentially applies the same way to companies regardless of their size. There is one exemption for SMEs regarding data processing recording of activities.
Q: Can you speak briefly on the use of "legitimate interest" with respect to managing sales contacts.. for example contact information entered in web form to obtain sales material.
A: Legitimate interest is one of six legal basis that the GDPR proposes for personal data processing. Companies should run an analysis to determine what legal basis they can use and, if several, which one is more suitable for their needs (commercially, structurally etc.). If using the legitimate interest, companies must run an impact assessment to show that they have given proper considerations to reasonable expectations of the data subject, and they must keep a record of that assessment. Recitals 47 onwards offer some guidance on what can be defined as legitimate interest. Examples included direct marketing purposes - provided an opt-out.
Q: Does Privacy Shield take place of Standard Contractual Contracts?
A: Privacy Shield and Standard Contractual Clauses are two of the valid transfer mechanisms. Binding corporate rules are another option. There are differences, which may require legal consultation. For more information, see https://www.privacyshield.gov/article?id=Contract-Requirements-for-Data-Transfers-to-a-Processor and, without prejudice, https://www.bna.com/euus-privacy-shield-n57982076824/
Q: While many discussions surround the GDPR compliance process specifically, once compliant, can you please discuss the process of subject requests, and specifically how to verify an individual is in fact the individual they state to be, to ensure the PII you are providing is owned by the requesting subject.
A: At this stage, there is no official guidance on this matter. One element of this process will be to properly train the staff that will be processing these requests. One practice that has been observed consists of asking the data subject to provide personal data already held by the company to proceed to the identity verification - this is to avoid collecting more personal data about a given data subject, possibly without legal basis. This is one example and does not constitute official recommendation by the Department of Commerce.
Q: Specifically for online ecommerce businesses: for data such as a customer's transaction history (past purchase history etc), does the data need to be deleted immediately upon a customer's request for their data to be deleted? Or does it need to be retained for a required time period as the specific EU country's data retention laws and requirements?
A: Recitals 65 and 66 of the GDPR address the issue. Recital 65 states: "a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed[...]". Companies should carefully consider the way they will draft their information notice, which under GDPR now include retention perdio for the data collected. If companies cannot set a retention perdio, they should at least specify the criteria that will be used to determine the retention.
Q: Our company is receiving a number of Model Clause contract addendums from our Clients. These addendums assign the data importer role to our company. The Model Clauses are stipulating that, if our company receives a privacy request directly from a data subject, we must notify the client company and allow them to participate in or approve any response to the data subject. This would seem to be a violation of the data subjects privacy rights. Is that an incorrect interpretation based on our role as the data importer?
A: First, model clauses cannot be amended in a way that would alter and lower their essence but their langage can be supplemented. Second, the controller is ultimately the party responsible for making determinations pertaining to data subjects' request (for erasure, rectification...). Per article 28 (3) e, the processor should assist the controller to fulfill its obligations in that respect, and their contract should stipulate this element.
Q: This slide states that an organization is eligible for GDPR if they provide goods or services to EU individuals. Does that mean B2B companies are exempt?
A: No, B2B are not exempted as such from the scope of the GDPR. See article 2 (2) for exceptions to the application of the GDPR, which include i.a. activity that is purely personal/household-related, activity that falls outside the scope of EU law.
Q: Is it allowed for a company to be compliant with GDPR without certifying to the Privacy Shield?
A: Yes, Privacy Shield is one existing tool for compliance regarding international personal data transfers. Chapter 5 of the GDPR recognizes other transfer mechanisms (such as model clauses and binding corporate rules).
Q: Has there been any additional clarity or guidance on whether businesses must appoint a DPO?
A: The official DPA guidance document can be found here: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
In addition some DPAs are producing guidance on qualifications for DPOs. See for instance Ireland DPA's additional guidance: https://dataprotection.ie/viewdoc.asp?DocID=1643&ad=1
Q: How are small US companies dealing with the requirement to have a representative located in the EU?
A: The DPAs have not yet produced any official guidance on the representative requirement. At the moment there is no concerted view on how to meet this requirement.
Q: We are a US firm, with some clients in the EU. We are compliant with US HIPAA requirements. Does that help us be compliant with GDPR? Are there significant differences?
A: The mandate of the Foreign Commercial Service is to counsel on foreign markets' regulatory environment. It is not in a position to provide a comparative analysis between EU and U.S. law. Foreign Commercial Service is not in a position to counsel on HIPAA or draw parallels between HIPAA and the GDPR.
Q: As a small US research business that occasionally conducts surveys of individuals in EU, would simply completing the Privacy Shield application be the first step in gaining compliance?
A: An organization that does international personal data transfers from the EU to a Third Country will need to comply with the GDPR chapter 5 requirements to have a valid transfer mechanisms in place. Privacy Shield is one available tool which that can contribute to building a full compliance program. Certifying to Privacy Shield does not offer full compliance with the GDPR requirements in other chapters.
Successful participation in Privacy Shield indicates to EU regulators an attention to EU data protection regulations. Full compliance in Privacy Shield and GDPR are continual efforts, hence Privacy Shield's renewal process. In particular instances, U.S. officials cannot provide exhaustive legal counsel.
Q: Can you give some specific examples on how Privacy Shield can be leveraged against the requirements of GDPR?
A: Privacy Shield enables participating companies to meet the EU requirements for transferring personal data to third countries, discussed in Chapter V of the GDPR.
Q: What are the top 3 compliance elements that US companies should be focusing on as they kick-off their GDPR compliance?
Q: What are you hearing from EU data protection authorities about their enforcement priorities in the early months of GDPR implementation? Is there any area that US companies should be particularly concerned about?
A: The GDPR becomes enforceable on May 25, 2018. Some individual DPAs have made statements regarding their intended approach to enforcement of the GDPR. See for example statement from the French DPA which will offer a grace period for new requirements but not for principles that are not new: https://www.cnil.fr/fr/rgpd-comment-la-cnil-vous-accompagne-dans-cette-periode-transitoire
Some have also recognized publicly their challenges to getting ready to meet that deadline. See for instance: https://www.reuters.com/article/us-europe-privacy-analysis/european-regulators-were-not-ready-for-new-privacy-law-idUSKBN1I915X
Q: If my company is meeting Privacy Shield requirements for third party contracts with both controllers and agents, are there any additional GDPR contract requirements they should be aware of?
A: Privacy Shield is a compliance program with regards to international personal data transfers. The GDPR contains numerous other requirements (regarding individuals rights, transparency, accountability, security, etc.) that are separate and for which the Privacy Shield is not a solution.
Q: When the Commerce Department reviews my privacy notice for Privacy Shield compliance, will they also confirm it is GDPR-compliant?
Q: Is there a program like Privacy Shield for certifying GDPR compliance?
A: As of right now, there is no approved certification program. Article 42 of the GDPR outlines the establishment of data protection certification mechanisms and data protection seals and marks, but none are approved today.
Q: When applying companies are asked by Commerce to revise their privacy policies, should they post the revised policy for Commerce review online, or do they have to re-upload the revised policy into the system.
A: Unless explicitly advised to upload the policy to their public-facing website, please continue to provide policy updates in a private format. This reduces the possibility of false claims complaints.
Q: If a company is found (by a DPA) to be out of GDPR compliance, could that adversely affect their status on Privacy Shield?
A: A finding by the DPA that a company is not in compliance with the GDPR does not in itself indicate that the company is not in compliance with the Privacy Shield principles.
The EU-U.S. Privacy Shield is a mechanism to transfer personal data from the European Union to the United States. It is not a GDPR compliance mechanism but rather is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to third countries, discussed in Chapter V of the GDPR.
While the Privacy Shield was designed with an eye to the GDPR, addressing both substantive and procedural elements, the requirements in the Privacy Shield and the GDPR are not identical.
However, depending on the violation, a company that is found to be not in compliance with the GDPR could also be found to be not in compliance with the Privacy Shield principles. If an organization persistently fails to comply with the Privacy Shield principles, it will no longer be entitled to benefit from the Privacy Shield. The Department of Commerce will remove the organization from the Privacy Shield list and the organization must return or delete information it received under the Privacy Shield.