The European Union’s General Data Protection Regulation (GDPR) (in effect since May 25, 2018) places new requirements on companies and individuals regarding the collection, processing, transfer, storage, and access to personal information of persons located in the EU. The GDPR is important for companies located both inside and outside of the EU because the GDPR can apply to companies not located in the EU under many circumstances.
For companies located outside of the EU, the GDPR can apply if the company processes (e.g., collects, stores, analyzes) the personal data of persons located in the EU (regardless of their citizenship). Personal data is broadly defined to include any information relating to an identifiable natural person. If a company processes personal data of persons located in the EU, that company will be subject to GDPR if the data processing is related to the offering of goods or services to persons located in the EU (e.g., the company targets persons in the EU), or the company monitors the behavior of persons located in the EU. Companies should review their different business operations to see if they are collecting or using EU personal data (whether collected from customers, employees, or from third-parties).
The penalties for not complying with GDPR can be severe, including administrative fines of up to 4% of the company’s worldwide total revenue, or 20 million Euros, whichever is greater. While these penalties are reserved for substantial privacy violations, it is yet to be seen exactly how the data protection authorities intend to enforce obligations under the GDPR.
To comply with the GDPR, a company will need to review and address a number of different areas:
- Reviewing and mapping all personal information collected, used, or disclosed by the company;
- Implementing processes to respond to data subject requests for access, delete, change, or restrict their information;
- Reviewing and updating privacy policies to be consistent with the data collection, use, and disclosure practices;
- Ensuring the company has a lawful basis for all data processing (e.g., consent or contract);
- Ensuring proper contractual agreements are in place between data controllers and data processors;
- Appointing an EU representative and data protection officer under certain conditions; and
- Responding to personal data breaches and notifying the appropriate authority within 72 hours.
Troy F. Meyerson
Alexander D. Boyd
Formed in 1898, Fraser Stryker has grown to become a nationally recognized law firm that represents local, national and multinational clients in complex business transactions and litigation matters.
This article has been prepared for general information purposes and (1) does not create or constitute an attorney-client relationship, (2) is not intended as a solicitation, (3) is not intended to convey or constitute legal advice, and (4) is not a substitute for obtaining legal advice from a qualified attorney. Always seek professional counsel prior to taking action.