May 22, 2018
To learn more about Lathrop Gage, click here ›
GDPR Enforcement Begins Friday: 4 Things You Need to Know
1. What is the GDPR?
The GDPR is the European Union’s General Data Protection Regulation, a comprehensive set of strict privacy laws and regulations. The EU passed GDPR in 2016, but granted a two-year grace period which ends this Friday, May 25, 2018.
The new regulations governs how organizations collect, store, use, process and transfer the personal data of EU residents, giving them more power and control than ever before. It treats data privacy as a fundamental right for individuals in the European Union.
2. The GDPR is an EU regulation, why do I care?
Extraterritorial Reach. The GDPR’s reach is not limited to EU territory. It applies to any organization located in the EU or that stores EU resident personal data in the EU. The GDPR also applies to organizations outside the EU that target goods or services to the EU or track the activities of EU residents.
Broader Definitions. “Personal data” means any information that could lead to the identification of an individual EU resident. It can include just a person’s name (if sufficiently unique), a photograph or image, a computer’s IP address, or a social media post. “Processing” personal data includes almost any activity, including just holding it.
Targeting Activity. Under the GDPR, it matters how and to whom you market. If you operate a US website (with a German language version) that sells lederhosen in both dollars and Euros to Germans, Austrians and the Swiss, you must comply with the GDPR for the personal data you collect from your European customers. If your US website uses only English and dollars and only occasionally ships products to Europe, you are not likely “targeting EU residents” under the GDPR.
Tracking Activity. Just because your website does not target the EU, however, does not mean you can ignore the GDPR. If your US website uses analytics (like Google Analytics) to track the behavior of visitors to your website and you capture the activities of EU residents and use that data to individually tailor the website to those visitors, you may be “tracking EU residents” subject to GDPR regulation.
Fines. The penalties contemplated by those regulations are harsh. Failure to comply with the requirements of the GDPR can result in fines of the greater of €20 milllion or 4% of global turnover—whichever is greater.
3. What individual rights does the GDPR establish or protect?
4. What should I do now that the GDPR is here?
You should have someone in your company who can find out what personal data you collect, what you do with it and how you protect it. If the GDPR applies, you will need to review your legal basis for processing the data, and have a method in place to respond to and document requests by individuals to see, correct or delete their personal data.
Enforcement by the new European Data Protection Board (EDPB), together with local EU data protection authorities, will be largely complaint-driven. In all likelihood, companies with EU operations, lots of EU personal data, or clearly non-compliant activity will be the first scrutinized. Still, the GDPR has been pending for two years, and the EU is taking the GDPR seriously.
Some of your customers may have sent you a GDPR due diligence questionnaire or proposed a Data Transfer Agreement regarding the personal data entrusted to you. If you have not received such requests, you soon will. Those customers and business partners expect you to know your obligations under the GDPR, and will seek to hold you liable if you breach them.
If you have EU locations, employees, or vendors/suppliers, if you target or track EU residents, or if your customers are insisting on GDPR compliance, you need to take stock of the personal data in your possession. The rest of the world is heading toward GDPR-like regulation of personal data. May 25th should serve as a wake up call for those businesses who have yet to consider GDPR’s consequences.
Let the cybersecurity/data privacy professionals at Lathrop Gage, Tedrick Housh and Jason M. Schwent, assist you with any of your GDPR compliance questions or concerns.
© 2019 LATHROP GAGE LLP, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop Gage shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop Gage, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.