Goodsill Alert: From 7350 Miles Away – How Does the European Union’s GDPR Affect Hawai’i Business?
May 25, 2018
This Goodsill Alert was prepared by Jennifer Yamanuha.
On May 25, 2018, the General Data Protection Regulation (“GDPR”)1 went into effect across the 28 member states of the European Union. It is a comprehensive regulation designed to safeguard the processing of personal data, which essentially means any data that can be used to identify a living human being. The processing of personal data is a broad concept, including just about any activity that can be performed with respect to personal data, including collecting, using, storing, modifying, sharing, or transmitting it.
But since Honolulu is roughly 7,350 miles away from the EU parliament, Hawai’i businesses should have nothing to worry about, right? Think again.
Foreseeably, the GDPR regulates how personal data must be handled by businesses established in the EU, so it would clearly apply to a Hawai’i business with a legal entity in Europe. But wait—there’s more! The GDPR also purports to regulate personal data processing by businesses located outside of the EU, including Hawai’i businesses, so long as the business engages in data processing activities that are related to (i) the offering of goods or services to people in the EU (even if they are offered for free) or (ii) the monitoring of the behavior of people in the EU.
If your business clearly falls into one of those categories, you need to comply.
While there are open questions about how GDPR might be enforced in the U.S., the regulations are clear that non-compliance can result in stiff penalties (up to 20 million Euros, or 4% of a company’s annual revenue). Individuals also have the right to bring private actions under the GDPR. The GDPR applies to all types of businesses, without regard to size or the nature of services offered.
If the GDPR potentially applies to your business, the first step is to map your data flows and determine whether and where personal data of EU residents may be stored on your system (for example, in email, document management databases, marketing or contact databases, employee databases). This can include obvious items pertaining to individuals, such as contact information for clients and business contacts, health information, and financial information, as well as less obvious data such as IP addresses, photographs, location markers, and geo-tracking information.
The regulations apply not only to electronic information, but also to information stored in hard copy and other media.
Once you have identified the personal data on your system, you will want to review whether your use and storage practices are in line with GDPR requirements. Contracts with clients and vendors should also be reviewed if they might involve the personal data of EU residents—GDPR obligations extend from the data source to any party within the chain of supply, including subcontractors. The GDPR describes a number of technical and organizational security measures that must be taken to protect such data, including pseudonymization and encryption.
Businesses should also consider safeguarding data collection going forward, including revising data retention policies and online privacy policies to reflect compliance. Finally, they should ensure that a response plan is in place in the event of a data security breach that exposes regulated data.
As we increasingly engage in a global marketplace, it’s critical to understand how major shifts in international law might affect your Hawai’i business. Although the GDPR primarily protects data of EU residents and data processed within the EU, it very likely will usher in a new standard of personal privacy rights for individuals. To instill a sense of trust in your client base, it is important to stay abreast of these changes and to keep up with evolving best practices.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Notice: We are providing this Goodsill Alert as a commentary on current legal issues, and it should not be considered legal advice, which depends on the facts of each specific situation. Receipt of the Goodsill Alert does not establish an attorney-client relationship.