{"id":140,"date":"2018-09-18T08:59:38","date_gmt":"2018-09-18T12:59:38","guid":{"rendered":"https:\/\/pbacyber.com\/?p=140"},"modified":"2018-09-18T09:43:35","modified_gmt":"2018-09-18T13:43:35","slug":"gdpr-in-pennsylvania-should-you-worry-about-it","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2018\/09\/18\/gdpr-in-pennsylvania-should-you-worry-about-it\/","title":{"rendered":"GDPR in Pennsylvania: Should You Worry About It?"},"content":{"rendered":"<p>By Joshua Mooney, <a href=\"https:\/\/www.whiteandwilliams.com\" target=\"_blank\" rel=\"noopener\">White and Williams LLP<\/a><\/p>\n<p>On May 25 2018, the European Union General Data Protection Regulation, Regulation (EU) 2016\/679 (GDPR), took effect across the European Union, implementing one of the most significant regulatory changes in data protection in more than 20 years. The foundational principle of GDPR is that individuals have a fundamental human right to the protection of \u201cpersonal data.\u201d The regulation has a far-reaching effect in terms of both the vast amounts of information it regulates and the legislation\u2019s extra-jurisdictional, global reach.<\/p>\n<p>&nbsp;<\/p>\n<p>For many in Pennsylvania, GDPR may seem like a distant squall of intense European regulatory requirements and privacy concerns. Don\u2019t be fooled, and don\u2019t be caught by surprise. GDPR can have a significant impact on companies in Pennsylvania, even small and mid-sized ones. It\u2019s never too late to have a GDPR discussion.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>What is GDPR?<\/strong><\/p>\n<p>In its most fundamental terms, GDPR applies to the collection, protection, and retention of \u201cpersonal data\u201d of EU citizens. It provides lawful bases for \u201cprocessing\u201d \u201cpersonal data,\u201d and specifies procedures and specific timeframes for notification of data breaches. It also has stiff penalties that may reach \u20ac20 million, or 4 percent of worldwide corporate revenue, for those who violate the regulation.<\/p>\n<p>&nbsp;<\/p>\n<p>In its most basic terms, GDPR regulates the \u201cprocessing\u201d of \u201cpersonal data.\u201d Article 4(1) defines \u201cpersonal data\u201d in broad terms as:<\/p>\n<p style=\"padding-left: 30px;\">any information relating to an identified or identifiable natural person (\u2018data subject\u2019); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.<\/p>\n<p>&nbsp;<\/p>\n<p>Thus, any piece of information that can be used to directly or indirectly identify a person is deemed \u201cpersonal data.\u201d The definition extends far beyond names, addresses, biometrics, or other identifiers deemed \u201cpersonal information\u201d under U.S. law. Under GDPR, email addresses, computer IP addresses, cookies, GPS data all may be deemed as \u201cpersonal data\u201d and fall within the regulation.\u00a0 A data breach involving personal data, defined as a breach in security \u201cleading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to\u201d personal data can trigger notification requirements with deadlines of 72 hours or less.<\/p>\n<p>&nbsp;<\/p>\n<p>Article 4(2) of GDPR defines \u201cprocessing\u201d in very broad terms to mean:<\/p>\n<p style=\"padding-left: 30px;\">any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.<\/p>\n<p>&nbsp;<\/p>\n<p>By expressly including any collection, recording, organization, storage, use, disclosure or destruction of personal data, the definition is intended to cover any operation or interaction with such data. In other words, if a company touches personal data, it \u201cprocesses\u201d it.<\/p>\n<p>&nbsp;<\/p>\n<p>Notably, neither the definition for processing or personal data has a geographical limit. Therefore, a company need not be located within the EU to be governed by GDPR. If an organization outside the EU stores personal data, monitors the behavior of, or offer goods or services to EU residents, regardless of whether those residents are customers, consumers, employees, partners, business contacts, or vendors, GDPR applies.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Why a discussion about GDPR is important.\u00a0 <\/strong><\/p>\n<p>Whether GDPR applies to a company, and if so, the risk of exposure for noncompliance, depends on that company\u2019s business operations. Even for those companies that fall within GDPR, the risk of exposure that the regulation presents may vary. Yet, even companies with little or no perceived GDPR exposure should still understand GDPR\u2019s scope and applicability. Here are three reasons why:<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px;\"><strong>Better Security, Better Business. <\/strong>According to a recent Ponemon Institute report, the cost of data breaches has increased another 8 percent, with the average total cost of a sustained data breach at $8 million. The best and most effective way to mitigate the risk (and cost) of a cybersecurity incident, including a data breach, is to have an effective, written data security program with effective elements for early detection, mitigation and recovery. GDPR provides a good opportunity to revisit the state of a company\u2019s data security program. If no program exists, developing and implementing one should be an immediate priority.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px;\"><strong>U.S. Data Privacy Laws.<\/strong> There are no U.S. laws as comprehensive as GDPR, but that does not mean the U.S. lacks in significant data privacy and security laws.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px;\">Last spring, California enacted the Consumer Privacy Act, which introduces significant new requirements on any business that collects and sells personal information of California residents. The legislation expands the definition of personal information in GDPR-like fashion to include \u201cinformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,\u201d and it imposes many GDPR-like disclosure requirements. A recent Ohio law creates a safe harbor from liability for an effective data security program. In fact, since GDPR\u2019s effective date, over 13 states have enacted data privacy and security legislation.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px;\">Significant data security laws were enacted prior to this year. New York enacted cyber regulations that provide strict requirements for data security, including the implementation of cybersecurity programs based on annual risk assessments, and topping off by requiring the personal certification of regulatory compliance by a senior officer of the company. The NAIC passed a model law on data security. And don\u2019t forget federal laws like HIPAA, the HI-TECH Act, and GLBA. Even if GDPR does not apply to a company\u2019s operations, other regulations might.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px;\"><strong>Business Relationships.<\/strong> Sometimes a company\u2019s client or business partner, who must comply with GDPR, may try to impose contractual requirements to adhere to GDPR. New business opportunities may create compliance requirements where none existed before. Assessing GDPR compliance issues now can place a company in a better positon to acquiesce to such requirements. On the other hand, understanding GDPR also can place a company in a better position to persuasively negotiate non-applicable or overzealous GDPR compliance requirements out of the terms of a contract.<\/p>\n<p>&nbsp;<\/p>\n<p>While GDPR has been in effect for nearly four months, it\u2019s not too late to begin a discussion about GDPR. Companies should conduct an information assessment to examine whether GDPR applies to their operations, and if so, whether compliance is feasible. When is the last time your company has conducted a risk assessment? If it has conducted a risk assessment, was the GDPR or the general concept of privacy and security a weighted risk? These questions can be the start of a critical evaluation and a necessary discussion.<\/p>\n<p><span style=\"display: inline !important; float: none; background-color: transparent; color: #000000; font-family: 'Open Sans',Arial,sans-serif; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">___________________________<\/span><\/p>\n<p><em><a href=\"https:\/\/www.whiteandwilliams.com\/lawyers-JoshuaMooney.html\" target=\"_blank\" rel=\"noopener\">Joshua Mooney<\/a> is a partner at White and Williams LLP in Philadelphia. He is co-chair of the firm\u2019s Cyber Law and Data Protection Group.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Joshua Mooney, White and Williams LLP On May 25 2018, the European Union General Data Protection Regulation, Regulation (EU) 2016\/679 (GDPR), took effect across the European Union, implementing one of the most significant regulatory changes in data protection in more than 20 years. The foundational principle of GDPR is that individuals have a fundamental <br \/><a class=\"read-more-button\" href=\"https:\/\/pbacyber.com\/index.php\/2018\/09\/18\/gdpr-in-pennsylvania-should-you-worry-about-it\/\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/140"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=140"}],"version-history":[{"count":6,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/140\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/140\/revisions\/146"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}