GDPR and the Expanding Concept of "Citizen"

Europe's General Data Protection Regulation (GDPR) establishes a fundamental right to privacy in all of the "data subjects" that are within its jurisdiction. The rule becomes enforceable on May 25, 2018, and companies that have EU "data subject" information currently in their databanks must demonstrate by that date that they are managing that data per GDPR standards. If your enterprise works in the EU or with EU citizens, you need to be prepared to demonstrate GDPR compliance on or before its enforcement date.

What Is a "Data Subject"?

A "data subject" is the EU-sited person connected to data collected by any entity, whether that's another person, a private corporation or a government entity. Data subjects are identified by their "personally identifiable information" (PII), so the information relates to anything that can inform another person who they are as an individual. PII includes names, government identifiers, or commercial identifiers, as well as emails addresses, social media accounts, and any other data that reveals the identity of its owner. Further, the rule does not apply to deceased people, nor does it apply to generic information that can identify more than one person, such as hair or eye color.

According to the GDPR, people who are "data subjects" have a fundamental right to privacy and retain full control of their PII data regardless of with whom or under what circumstances they share it.

Citizens or Residents? Both?

While the intent of the rule seems clear (it is "designed to serve man"), it is also ambiguous. On its face, it refers to "citizens" as that word is presumably defined by Article 20 of the Lisbon Treaty, the agreement that established the existence of the EU itself: "Every person holding the nationality of a Member State shall be a citizen of the Union."

However, Recital 14 of the regulation states that the rule applies to "natural persons, whatever their nationality or place of residence ... ," which suggests that non-citizens would also be covered. Non-citizens could be non-EU students, embassy staff and their families, or even tourists whose only contact with the Union is a two-week vacation. Confusing matters even more are the rights of EU citizens who don't live in the EU. While the language is clear - "citizens of the EU" - the enforcement of such a sweeping mandate would be challenging, especially if the EU countries don't maintain complete records of their citizens living outside their borders.

Where to Start

In many ways, the GDPR regulation resembles America's mandatory data breach notification rules, in that it establishes the policies and procedures that entities must follow when they have access to PII. Forty-eight states currently regulate privacy concerns (Alabama and South Dakota are silent on the issue), including setting definitions, identifying who must comply with data privacy regulations, what constitutes and how to remedy a breach; you'll want to compare those to the GDPR standards to see if they provide a path to compliance.

The GDPR, however, goes a step further than just inventorying relevant data. It requires that companies that possess the data also prove that they are compliant with the GDPR, which means they must maintain a system that reveals, when asked:

• The identities of the data managers within the organization;
• The purposes for which they are using the information;
• Descriptions of the categories of data subjects and personal data segments;
• The identities of all who have seen the information, including foreign personnel;
• The safeguards used when transporting the data across country boundaries;
• The timelines anticipated for erasure of the different categories of data, and
• The security measures applied to the data.

The implementation of the GDPR marks a turning point in global communications and resets a higher bar for any entity interested in doing or growing their business within the European Union.