The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018 and represents a very significant overhaul of data protection regulation, both within the European Union and around the globe. Businesses will need to examine how they hold and use data and take steps to demonstrate compliance with the data protection principles.
Here are some key features of the regulation:
- GDPR is not limited in application to businesses within European Union member nations. It applies to all companies and organizations that offer goods or services to, or monitor the behavior of, EU citizens, with some narrow exceptions.
- The regulation applies to any activity that a company undertakes regarding “personal data,” which includes any information related to a natural person that can be used to directly or indirectly identify the person. Personal data can be a name, a photo, an email address, bank details, posts on social media, medical information, or a computer IP address. This includes persons who are customers, prospective customers or employees, as well as others.
- Data subjects have particular rights under GDPR, including a right to access to the information, have the information corrected, and the “right to be forgotten,” among others.
- GDPR requires clear individual consent for the processing of personal data, with disclosures to data subjects that are easily accessible and understandable. The consent has to be to specific processing activities (i.e., not general in nature), and cannot be tied to the delivery of any benefits, where the effect may be coercive on the data subject.
- Under the GDPR, if a data breach occurs that impacts personal data, the business or organization must notify supervisory authorities within 72 hours of first knowledge.
- Covered entities found to be in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million, whichever is greater, depending on the nature of the breach.
Have you considered the impact of the GDPR on your company/organization? Do you know whether your company or organization is a “data processor” or “data controller” under the GDPR? Do you have procedures in place for protection and handling of personal information concerning EU citizens?
Whether you view GDPR as a challenge, an opportunity or both, there are measures you can take to help your business prepare for implementation of the regulation, from assessing risk to understanding the practical implications of the change in the law on a business’ processes and procedures.
This Data Security & Privacy Alert is intended to keep readers current on developments in the data security & privacy world and in the law, and is not intended to be legal advice. If you have any questions, please contact:
Sandy B. Garfinkel, Chair of the firm’s Data Security & Privacy Group, at 412‐566‐6868 or sgarfinkel@eckertseamans.com or
Stephen Foxman, Member of the firm’s Data Security & Privacy Group, at 215-851-8422 or sfoxman@eckertseamans.com.