This document provides a broad overview of the EU General Data Protection Regulation (“GDPR”) and PROS’ approach to compliance, but does not provide legal advice. Please consult with your own legal counsel to understand how GDPR applies to your specific situation.
What is GDPR?
GDPR is a new comprehensive data protection law that replaces existing EU laws to strengthen the protection of “personal data”. It replaces the current patchwork of national data protection laws in Europe with a single set of rules, directly enforceable in each EU member state. GDPR takes effect on May 25, 2018. Although EU member states have some flexibility to implement laws and regulations in certain areas permitted by GDPR, GDPR will generally streamline current data protection laws, enhancing the protections guaranteed to individuals and providing clarity to companies required to comply.
GDPR applies to organizations both inside and outside of the EU that are processing the personal data of individuals in the EU. Companies that fail to comply could face fines of up to the greater of €20,000,000 or 4% of worldwide annual revenues.
What is personal data?
GDPR broadens the current definition of “personal data” to mean any information that could be used to identify an individual, including names, business email addresses, and account numbers. GDPR also clarifies that location data and online identifiers, such as IP addresses, are personal data.
What does GDPR require?
GDPR imposes new rules around how European personal data may be handled, including in relation to concepts of consent, transparency, profiling, recordkeeping, data breach notification, and individual access rights. Individual access rights include the right of an individual to request access to data about himself or herself; to restrict the way such individual’s data is used; and, in certain circumstances, to require the deletion of such data. GDPR also requires companies to carry out “data protection impact assessments” identifying the impact of proposed processing operations if the processing is likely to pose a “high risk” to individuals. It is important to note that GDPR includes certain principles about the technical and organizational measures that companies must have in place, but it does not include specific or prescriptive requirements implementing such principles.
Does GDPR require personal data of individuals in the EU to stay in the EU?
No. Companies may transfer persona data of individuals in the EU outside of the EU if they have a valid mechanism in place to adequately protect the data transfer. Those mechanisms include, for example, Binding Corporate Rules or Standard Contractual Clauses approved by the European Commission, and, for transfers to the U.S., registration under the EU‐US Privacy Shield Framework Principles.
How does GDPR apply to PROS?
As a global company with customers and employees in many jurisdictions in Europe and around the world, PROS regularly processes the personal data of persons in the EU, and will be subject to GDPR. GDPR has different requirements depending upon whether a company is a “controller” or a “processor” of the applicable personal data. PROS will be a controller of the personal data that it collects on its own behalf, including of its employees and in its marketing efforts. PROS generally will be a processor of personal data that it handles on behalf of its customers, which are the controllers of that personal data.
What is PROS doing to prepare for GDPR?
At PROS, protecting the data that we handle on behalf of our customers and employees is our top priority and we welcome GDPR as an opportunity to strengthen our commitment to data protection. PROS has put together a cross‐departmental team, managed by its Legal team and advised by external expert advisors, to analyze and document our current practices, assess the changes that we need to make for GDPR, and implement those changes. Our strong foundation of legal, security, and governance practices and procedures and our commitment to data protection have put PROS in a strong position to achieve GDPR compliance by May 2018. PROS’ compliance project plan addresses requirements that affect how we handle personal data belonging to our applicants and employees; how we handle personal data that we receive from our customers and process on their behalf; and what we require of our vendors and partners who process personal data on our behalf.
Specifically, PROS’ GDPR compliance initiative includes the following projects:
- Analyzing and documenting personal data in our business subject to GDPR;
- Creating a plan to achieve GDPR compliance;
- Compiling a team with the expertise and authority to implement GDPR‐required changes;
- Revising internal policies and procedures;
- Revising contractual arrangements with customers and vendors to include GDPR‐required provisions;
- Revising company privacy policies and notices;
- Training employees in GDPR‐compliant personal data handling; and
- Monitoring for additional guidance from EU regulators that impacts GDPR compliance.
You can find more information about GDPR at the links set forth below.
If you have any questions relating to PROS’ GDPR compliance efforts, please contact your account representative.