Effects of the GDPR: Are You Ready?

By and
Legally Speaking
image

© momius | stock.adobe.com

What Is the GDPR?

The European Union’s General Data Protection Regulation, or “GDPR,” came into effect on May 25, 2018, causing a scramble of companies to update their privacy policies. Sales representatives who believe the regulation does not affect them because they are not located in a European Union country are gravely mistaken. Another common mistaken belief is that the GDPR only affects heavily technology-based companies or processes. However, the GDPR is technology neutral and those that process data through physical paper are equally affected. Thus, the reach of the GDPR is much broader than many believe; it regulates anyone who processes the personal data of a citizen of the European Union, regardless of whether it is processed though automated or manual means. Due to the amount of contact information that sales representatives collect, they need to be aware of how that data collection is regulated under the GDPR.

The GDPR outlines its purposes and principles in Article 5, focusing the brunt of its force on transparency and limitations in data processing and usage, accuracy of the data, confidentiality precautions, and accountability in compliance. The regulation empowers consumers with rights to their data such as the right to know who is processing their data, and why, as well as the right to have their data deleted.

Why Do I Care?

In contrast to United States privacy laws, the collection of data under the GDPR is strictly regulated and carries serious penalties. The GDPR distinguishes its rules between data controllers, those who determine the purpose and means of processing of personal data, and data processors, those who process data on behalf of the controller. Under the regulation, sales representatives are seen as data controllers, and thus bear the full weight of the GDPR’s rules. A violation by a non-compliant data controller carries a maximum fine of up to EUR 20 million or four percent of your company’s global turnover depending on the breach. Because of how new the regulation is, there is little authority on how the regulation’s text will be interpreted and applied; thus, caution is key.

What Do I Need to Do?

Sales representatives should revisit where their data came from, purge any data they no longer require, and evaluate how they process data to ensure their acts are compliant. There are six lawful ways to process personal data under the GDPR, however, the most relevant means of lawful processing for sales representatives include the following: (1) when the data subject has given consent for the purpose; or (2) when processing is necessary for purposes of “legitimate interests” pursued by the controller except when the interests or rights of the data subject are greater.

Lawfulness through consent must be proven, affirmative, freely given, and ongoing. Ensure that you have appropriate documentation when consent is given and document if and when consent is withdrawn. Consent is limited and sales representatives must be careful to only process data within the purpose of the consent given by the data subject. Processing data outside the scope of consent is considered a breach of responsibility. Special categories of personal data (e.g. biometric data, personal data revealing race or religious beliefs, etc.) are under stricter scrutiny and are generally prohibited from processing unless certain conditions are met.

When lawfulness is claimed through processing due to “legitimate interests” sales representatives must provide the data subject with information regarding the usage at the time the data is collected, (e.g., how long the data will be stored, the purpose of the processing, where to file a complaint, etc.). Keep in mind that although you may have a legitimate interest, such as direct marketing purposes, lawfulness depends on any objections that the data subject might have. The GDPR allows data subjects to object to a legitimate interest regarding his or her particular situation. Again, because of the age of the regulation, it is difficult to predict how the two conflicting interests will play out in the legal arena, however, the repercussions here are comparatively light such as prohibiting the data to be processed for the argued purpose(s).

Although consent and transparency are the best measures to take to remain compliant with the GDPR, caution is the best practice. If in doubt, contact your legal representative or data protection officer regarding how you process your data. Genuine attempts to comply with the law will help you in the eyes of regulators. While a violation of the GDPR can result in crippling fines, it can also create public relations issues concerning both your own reputation as well as the company’s.

MANA welcomes your comments on this article. Write to us at [email protected].

End of article
  • photo of John Riccione
  • image of Amy Chen

and

John M. Riccione has been associated with MANA for over 18 years and has been instrumental in crafting MANA’s useful representative agreements and guidelines. He is partner in Taft Stettinus & Hollister, LLP, Chicago, Illinois, and has been a business litigator for over 30 years. His practice involves the representation of businesses and entrepreneurs in a wide array of complex commercial disputes, including distribution and manufacturers’ representation agreements, real estate, construction claims, trade secrets, computer fraud and abuse, UCC warranties and remedies, and labor and employment. He has been named an Illinois Super Lawyer since 2005 and nominated by a Fortune 1000 client to BTI’s Client Service All-Star Team, an honor extended to only 70 lawyers nationwide. He is a frequent speaker on the topics of force majeure, non-compete agreements, commission disputes and Uniform Commercial Code warranties and remedies, to various trade and bar associations and client groups.

Amy Chen is a summer associate and Diversity & Inclusion Fellow at Taft Stettinius & Hollister in Chicago. She is a rising second-year law student at Notre Dame Law School and holds a B.S. from Indiana University, Kelley School of Business. Prior to attending law school, Amy worked for Accenture in Washington, D.C. as a technology and management consultant for the Department of Health and Human Services and Department of State.

Legally Speaking is a regular department in Agency Sales magazine. This column features articles from a variety of legal professionals and is intended to showcase their individual opinions only. The contents of this column should not be construed as personal legal advice; the opinions expressed herein are not the opinions of MANA, its management, or its directors.