The General Data Protection Regulation, more commonly known as the GDPR, replaced an inconsistent country by country approach to how companies were required to handle the personal data of European Union (EU) residents. The EU Parliament approved the GDPR last month and all companies, including US companies, must be compliant by May 25, 2018 or face heavy fines that can be up to 20 million euros or 4% of a company’s prior year world-wide revenue, whichever is higher. This is not a typo. Now that I have your attention, let’s break the GDPR down to 2 important questions.
Does my US business offer goods or services to EU residents? If the answer is yes, you are subject to the GDPR.
First, what is a EU resident? A EU resident is any individual that resides in any of the 28 member states that form the EU. This applies to anyone who resides in the EU. Citizenship is NOT required. Second, there is no requirement that the company offering the goods or services be located in the EU. All that is required is that the individual resides in the EU. The GDPR focuses on the EU resident, known as the “data subject” and not the “data controller”. Consider the following, does your company have a website? If your website collects data from a EU resident you fall under the purview of the GDPR regardless whether you have a physical business location in the EU or any business transaction was consummated between your business and the EU resident. The mere surfing of a Pennsylvania business’s website by a EU resident makes your business subject to the GDPR.
Does my US business monitor the behavior of EU residents? If the answer is yes, you are subject to the GDPR.
Does your business engage in tracking or profiling the behavior of EU residents such that it uses such data to make business decisions or predict personal preferences of EU residents? Stated a bit clearer for the non tech savvy individual, have you ever wondered why or how ads seem to pop up that relate to items you had recently searched? This practice is covered under the GDPR.
Key Points of the GDPR
The GDPR requires that consent to the collection of data be given by a clear and affirmative act that is specific, informed and unambiguous. Silence or inactivity will not be considered consent. Consent can be shown by a “data user” clicking on a box that has not been prechecked that sets forth your consent in clear and unambiguous language.
2. Data Protection Officers
The GDPR requires data privacy officers be appointed at companies under certain circumstances. For example, if the company is involved in the public sector, has more than 250 employees or the company’s core business involves processing operations that require active monitoring. These data protection officers must be experts in the data protection field.
3. Data Breach Notification
As soon as your company becomes aware of a data breach, the EU supervisory authority must be notified within 72 hours of the breach. The EU resident affected by the breach must also be notified immediately if the breach involves the possibility of identity theft or fraud, physical harm, significant humiliation or damage to ones reputation.
4. Privacy Notices and Other Rights
The GDPR requires that certain disclosure are made in a privacy notice. While some disclosures such as the identity of the privacy officer, the purposes of data collection and the categories of the potential recipients of the collected data are not new, other rights are certainly new. For example, a EU resident now has the right to object, obtain the information collected about them, erasure and even correction and other rights not mentioned here.
Take Away – Compliance Deadline is Fast Approaching
The key takeaway here is that the May 25, 2018 compliance deadline is fast approaching. With unbelievably high fines available, affected EU residents are now empowered to go after US business that do not properly protect and/or collect their personal data. US companies will not be able to hide their heads in the sand merely because the affected individuals are across the pond. Meaningful enforcement penalties are available to EU residents. US companies need to take action now to understand how their business might be impacted by the GDPR and take corrective action now before GDPR compliance is required. For information in general on the GDPR click here. If you have any additional questions regarding this or any other aspect of your business, please feel free to contact Doug Leavitt at Danziger Shapiro & Leavitt, P.C.
This entry is presented for informational purposes only and is not intended to constitute legal advice.