What Global Fashion Companies Need to Know About the GDPR If They Collect EU Personal Data
What’s New? (The GDPR.)
Fashion and luxury goods companies need to take heed of yet another data protection regulation. This one could substantially impact them if they collect, process, or transfer EU individuals’ personal data, or plan to do so at some point soon. Specifically, the General Data Protection Regulation (GDPR) is the EU’s new data protection law, recently and finally entered into law. It replaces the old EU data protection regime established by the Data Protection Directive (95/46/EC). The GDPR lays out requirements for organizations that process EU residents’ data and generally provides people increased control over their personal data.
Why Should You Care?
You may be facing increased enforcement risks
Clearly, this will apply to most fashion companies that have parents, subsidiaries, or joint ventures in the EU, or collect EU individuals’ personal data. Most fashion and luxury goods companies collect data on European consumers (and employees), and have not segregated their data between the territories they offer business in. The GDPR will thus have a material impact on their business. For instance, if a fashion house that collects and processes EU personal data does not get its house in order by May 25, 2018, it could be facing fines up to 4% of its global annual turnover for undertakings, or 20,000,000 EUR (whichever is greatest). Let’s allow that to sink in for a bit.
You could also face other legal actions especially because the GDPR provides EU residents with extensive rights, including rights to lodge complaints, an effective judicial remedy, and compensation.
What You Need to Know
The GDPR text covers around 260 pages, but don’t worry, we have gone over it for you and highlighted some of its more significant requirements. The following are some things that you may need to know to Get Data Protection-Ready:
1. Who is covered?
With the GDPR’s expanded scope, you may now be directly covered, if you weren’t already before.
- If you are processing EU residents’ personal data (by offering of goods or services to them or monitoring of their behavior), then you are subject to the GDPR, regardless of whether you are a controller or a processor established in the EU.
- If you are a data “controller,” meaning an entity that determines the purposes and means of processing of personal data, you are still covered under the GDPR, as you were under the Directive, but your obligations have likely expanded, as will be discussed in the following sections.
- If you are a data “processor,” meaning an entity that processes personal data on behalf of a data controller, you are also now directly covered under the GDPR, whereas you may previously only have been subjected to EU data protection obligations by contract. But note the misconception that controllers don’t need data processing agreements with processors anymore – on the contrary, data processing agreements are definitely still needed, and there are contractual terms that must be put in place between a controller and its processor(s).
2. What data is covered?
- If you are processing online identifiers and location data, these are covered under the GDPR, putting beyond any doubt that IP addresses, mobile device IDs, and the like must be treated as personal data. This means that online identifiers and location data are are subject to a host of requirements surrounding fairness, lawfulness, data security, data export, and more.
- The GDPR also covers sensitive and pseudonymized data.
3. Your consumers and employees have stronger individual rights
You will have to make sure that you don’t infringe upon EU residents’ individual rights – some of which are broadened old rights or completely new ones under the GDPR. For example:
- Right to be provided with fair processing information (which gives rise to notice requirements). You may need to provide more detailed information about your data processing, such as the data sources and retention periods. You will have to provide this information in an intelligible form, using clear and plain language that is adapted for the individual. The practical effect of this requirement is that policies will need to be drafted differently depending on whether they are aimed at children or adults.
- Right of access. You may have to provide additional information to individuals regarding your processing of their data, including data processing confirmation, data processing purposes, data categories, and recipients or categories of recipients to whom the data has been or will be disclosed.
- Right to erasure. Under the GDPR, data subjects have the right to get controllers to erase data about them, without undue delay. If you are a controller, you may have the obligation to erase without undue delay. Notwithstanding this right, you may still be able to continue processing personal data if the data remains necessary for the purposes for which it was originally collected, and you still have a legal ground for processing it.
- Right to data portability. Another new right is the right of data portability, which provides data subjects the right to get a copy of their personal data that they’ve provided to a controller, in a format that is structured, commonly used, and machine readable. The GDPR also gives data subjects more control over the transmission of their data.
4. You may need to change how you obtain consent
Under the GDPR, consent to the processing of personal data must be freely given, specific, informed, unambiguous and displayed by a statement or by a clear affirmative action. Consent has to be explicit if the processing involves sensitive personal data – here, nothing short of an opt-in tick box or declaratory consent statement will do. Individuals have the right to withdraw consent or opt-out at any time.
5. You will have to demonstrate accountability in your data protection practices
The principle of accountability is woven throughout the GDPR. This means that you will have to be more accountable than ever before for your data protection practices. Drafting data protection policies will NOT suffice. You will have to be more proactive. Specifically:
- You will have to learn and implement “data protection by design” and “data protection by default.” (This means subscribing to the idea that data protection should be integrated into how you operate your business vs. tacking on data protection safeguards at the last minute.)
- You may need to conduct data protection impact assessments.
- You may need to cooperate with supervisory authorities or consult with them in high risk cases.
6. You have more options to legitimize your cross-border data transfers from the EU
The GDPR provides options for you to legitimize your cross-border data transfers such transfers, which now include:
- A decision by the European Commission declaring a jurisdiction as having an adequate data protection regime;
- A group of company’s Binding Corporate Rules (BCRs);
- Standard contractual clauses (SCCs) adopted by the European Commission;
- An approved code of conduct with binding enforceable commitments;
- An approved certification mechanism (such as the Privacy Shield); and
- Other contractual clauses authorized by a data protection authority.
7. You may have to review your profiling activities
While there is no general prohibition of “profiling” activities under the GDPR, data subjects have a right to object to it. You may have to obtain consent for profiling activities that “produce legal effects” or “significantly affect” a data subject.
8. You may also need to change how you respond to a breach
If you suffer a data breach, you may be subjected to the mandatory obligation to notify the local data protection authority (DPA) without delay. Where possible, the GDPR states that companies should notify their local DPA within 72 hours.
9. You may need to appoint a Data Protection Officer
You may need to appoint a data protection officer—we call them Chief Privacy Officers here in the United States—if your company is involved large scale processing of special categories of data (such as data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs), or regular and systematic monitoring of data subjects.
Yes, you have until May 25, 2018 to comply with the GDPR. Depending on your organization, you may have more than enough time to get your data protection house in order. It’s more likely, however, that you need the next two years—or 1 year and 10 months, as of the publication of this post—to review the GDPR provisions, understand your obligations, assess your data protection program, benchmark the status of your data protection program, identify gaps, and then address these gaps by embedding data protection into your organization. The clock is ticking and the sooner you Get Data Protection-Ready, the better for your organization.
While this is not a comprehensive guide to the 260-page GDPR text, the good news is that our team of data protection lawyers are here to answer any outstanding questions that you may have about the new regulation.
Arent Fox’s Cybersecurity & Data Protection group monitors developments in data protection field. For more information, please do not hesitate to contact Anthony V. Lupo, Sarah L. Bruno, Eva J. Pulliam, and Lourdes M. Turrecha.