What is the GDPR?
In April 2016, the EU Commission and Parliament adopted the General Data Protection Regulation (GDPR) which sets forth a set of requirements governing, among other things, the collection, processing, use, and storage of personal data of certain data subjects in the European Union (EU). The regulation becomes effective on May 25, 2018.
Is EAB subject to the GDPR?
As well as applying to companies established in the EU, the GDPR also applies to companies, not established in the EU, where the company’s processing activities are related to either: (i) offering goods or services to data subjects located in the EU; or (ii) monitoring the behavior of data subjects so far as their behavior takes place in the EU (e.g. monitoring via certain cookies).
EAB is not established in the EU – we have no subsidiaries or affiliates located in the EU. EAB products and services are provided exclusively in non-EU countries, and EAB does not offer such products and services to customers located in the EU. The GDPR also extends to certain companies located outside the EU that process personal data of individuals in the EU. In certain limited circumstances, depending on the services that EAB provides to its clients, EAB may be considered a data processor and subject to the GDPR. Accordingly, EAB has taken steps consistent with the principles and protections promulgated by the GDPR in such circumstances, and EAB will continue to uphold its robust data handling practices generally.
What is EAB doing to prepare for the GDPR?
EAB has created a GDPR Task Force to evaluate the obligations that the GDPR creates for us and how the GDPR affects our business relationships with members and clients that may be subject to the GDPR. Accordingly, we are actively monitoring the guidance coming from the EU. The GDPR is built upon prior EU data privacy legislation. However, many of the GDPR requirements do not yet have clear and authoritative implementation guidance.
In addition, our Legal and Information Security teams are carefully monitoring GDPR developments, including analyzing the scope of its application to EAB and ways in which we can support our members and clients to the extent any GDPR obligations may apply to them. We take our data handling practices seriously and are committed to helping our members and clients prepare for their obligations.
Importantly, EAB has many years of experience diligently safeguarding the data that our members and clients entrust to us. EAB currently has robust, industry-appropriate administrative, technical, and physical safeguards embedded in our organization to protect the security and privacy of all personal data we process. In developing our safeguards, EAB has utilized globally-accepted security and privacy standards such as ISO 27001/2, ISO27018/17 and is preparing for a SOC 2 audit. Our defense-in-depth approach to implementing technical, physical, and administrative controls are designed to mitigate risk. These safeguards also have been developed for compliance with various U.S. federal and state data privacy laws, such as FERPA, and include safeguards such as SOC-audited data centers, multi-factor authentication for access, 24x7 monitoring, video monitoring, and locked cages. We are reviewing these safeguards and internal policies to ensure they equally satisfy applicable GDPR requirements.
Will the GDPR affect EAB’s contracts?
The GDPR may require us to incorporate certain provisions into our contracts with members and clients subject to the GDPR when we process personal information on behalf of members and clients who are subject to the GDPR.
What additional responsibilities will the GDPR create for EAB?
In the limited circumstances in which EAB is acting as a data processor on behalf of its clients, EAB will comply with its obligations as a data processor under the GDPR, including with respect to record keeping and reporting.
In addition, for members and clients that may have GDPR obligations, we may be required to assist those members and clients with certain GDPR requirements, such as assisting in requests from subject individuals seeking to exercise their access rights. In those cases, we are reviewing and updating our internal processes to ensure we can do so in an adequate and timely manner and may enter into further agreements with our members and clients concerning these obligations as may be required by the GDPR.
What happens if EAB experiences a data security incident?
We will notify members and clients, without undue delay, when we become aware of a personal data breach materially affecting the personal data provided by members and clients in such a way as to be likely to result in a high risk of adversely affecting individuals’ rights and freedoms. We currently have a data incident response plan for use in the U.S. which we are reviewing and updating.