Yes, “GDPR” is another acronym you need to not only be aware of, but understand how it impacts your business. Why? Because non-compliance could be very expensive.
On May 25th, 2018, the General Data Protection Regulation will replace existing data protection law in all EU member states, and applies to all companies, no matter where in the world, that process the data of individuals based in the EU. Failure to comply may cost you €20 million or more, so it’s definitely worth familiarizing yourself with the essentials.
Here’s an overview:
Where does the GDPR apply?
The GDPR is designed to unify a set of data protection rules that will apply across the EU. The GDPR retains and enhances existing protections while also introducing many important new requirements, which leave some room for interpretation. It’s critical to know what applies to you.
My company is based in the US, how does the GDPR apply to me?
The GDPR applies to the processing of personal data of people located in the European Union. The Regulation cannot be ignored by an organization simply because it is based outside the EU. You are considered within the territorial scope if you offer goods or services to (or monitor the behavior of) persons in the EU. These days that applies to just about every international firm with interests in Europe, and businesses who may through their website make goods or services available to people in Europe.
What obligations does the GDPR place on our company?
GDPR requires entities that process personal data to demonstrate compliance, by, for example, asking companies to hold an inventory of that data and to create and maintain clear data protection notices and policies, and demonstrating what it does with that data, such as personal data (any information relating to an identified or identifiable person; and sensitive data (race, religion, political opinion, health, sexual orientation, etc.).
What does the GDPR do for the individual?
The GDPR also enhances the rights of individuals (whom it refers to as “data subjects”). The enhancements include:
- Portability of data – the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right of erasure of data, aka ‘the right to be forgotten.’
- Access rights. Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed, access to their personal data, and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15). These are similar to subject access rights under the existing legislation, currently in force until May 2018 (via the Data Protection Act 1988).
What are the consequences of getting it wrong?
Failure to comply with the GDPR obligations may result in the imposition of penalties up to 4% of annual worldwide turnover or €20 million, whichever is greater, and of course concomitant damage to your company’s reputation.
Careful observation and compliance with the GDPR, on the other hand, will augment your company’s reputation and, thus, its value.
We are here to help
May 25th is right around the corner. We can help guide you through the necessary steps to take to ensure any necessary transition or introduction of policies and procedures are as seamless as possible. These include:
- Awareness of how the GDPR will impact your business
- Inventory of personal data you hold
- Review of current privacy notification process and plans to comply with the GDPR
- Understanding of individuals’ rights and how you should comply
- How to manage subject access requests
- Lawful basis for processing personal data
- Review of how you seek, record and manage consent
- Verifying individuals ages and seeking parental consent for minors
- Procedures for managing, reporting and investigating data breaches
- Data protection impact assessments
- Appointing data protection officers
Who to call?
New York – Allan Rooney, Founding Partner – firstname.lastname@example.org – +1 212 545 8022
London – John Nimmo, Founding Partner – email@example.com – +44 (0)208 629 2151
This article is one of a series intended to de-mystify common legal issues for the non-lawyer and entrepreneur audience – they are designed to foster discussion and is by no means exhaustive. These materials are for informational purposes only. Nothing herein is intended nor should be regarded as legal advice. The distribution of this article to any person does not establish an attorney-client relationship with our firm. Rooney Nimmo assumes no liability in connection with the use of this publication. This bulletin is considered attorney advertising under the applicable rules of New York State. Rooney Nimmo UK is regulated by the Law Society of Scotland and Rooney Nimmo US by the New York Rules of Professional Conduct. All Attorneys and Solicitors listed in this firm stipulate their jurisdictional limitations. Rooney Nimmo in the USA is a law firm registered as a New York State Professional Corporation.