The European Union’s General Data Protection Regulation (GDPR) became effective on May 25, 2018. Companies have been working to understand the significance of those new rules, and to determine their effect on US companies.
The purpose of the GDPR is to harmonize certain data privacy laws within the European Union (including the UK, for now). But it also covers businesses outside of the EU to the extent that those businesses sell goods or services – or even offer to sell, or market the sale of goods or services – to EU residents. It also applies to businesses that “monitor” EU residents, regardless of the location of those businesses.
While compliance with the GDPR is going to take the coordinated effort of companies’ leaders, legal officers, and human resources departments (one of the highest risk areas for GDPR compliance will be the processing of human resources data), here are some basic facts to support the effort to understand the GDPR:
- The GDPR applies to large corporations that collect, use, or even simply analyze “personal data” of EU resident consumers – but the regulations also apply to businesses with as few as a single EU customer or user;
- “Personal data” is defined as including phone numbers, email addresses, location data, and/or any other identifier that would directly or indirectly point to a particular individual;
- The GDPR does not apply to “anonymous information,” defined as information that does not relate to an identified or identifiable natural person (for example, for statistical or research purposes);
- Whether the GDPR applies to an individual is determined not by citizenship, but by the individual’s residential location – for example, a US citizen residing in France would be included, but a French national living in the US would not;
- A company covered by the GDPR must use “plain language” to explain to its users its collection methods and use of personal data, and must specifically state how long such data will be retained;
- Affected companies must provide to EU resident users a way to (1) access and, at the individual’s option, correct/delete data; and (2) object to the use of particular data;
- Companies or organizations also can be held liable for EU personal data misused by their business partners;
- The regulations allow for a private right of legal action within the EU for violation of the rules, which means that companies outside of the EU that violate the GDPR could face legal actions within the court of an EU Member State based on as little as a single violation; and
- The requirements for obtaining consent under GDPR are specific and onerous, and consent may be withdrawn by the data subject.
While these facts are only a portion of the information that should be reviewed and understood by companies who may be affected by the GDPR, there are many informative websites and articles available to assist in that compliance effort. Check out these 5:
- “Seven Steps for Businesses to Get Ready for the General Data Protection Regulation” – provides a handy list of the steps that companies should be taking to prepare for the new rules.
- “EU Data Protection Reform: Ensuring Its Enforcement” – describes the new European Data Protection Board and provides an info-graphic of that Board’s composition, its powers, and the penalties it can impose.
- “Data Protection: Better Rules for Small Businesses” – an informative and interactive site with clear, concise descriptions of the new rules, their implications, and how smaller businesses can effectively prepare.
- “6 Ways to Prepare for GDPR” – a Wall Street Journal article from earlier this year that condenses the actions necessary to prepare for GDPR.
- “General Data Protection Regulation: Preparation checklist” – taken from the UK’s Information Commissioner’s Office, here’s a checklist of 12 things to which companies should be paying attention as they move toward compliance with the GDPR.
Consider some other resources, from Ogletree’s blog on the topic:
If GDPR applies to your company, it is imperative to make good faith efforts to comply. Get started by making yourself knowledgeable through the available channels, developing a to-do list, and then assuring that it gets implemented appropriately. Good luck.
Thanks to Dani Vanderzanden from the Data Privacy Practice Group of Ogletree Deakins for her contributions to this article.
Image taken from eu gdpr portal.