What You Need to Know About the New General Data Protection Regulation (“GDPR”)

You have probably received a lot of notifications in the past few days, alerting you that all your favorite vendors have updated their Privacy Policy. Here’s what they’re talking about.

The European Union General Data Protection Regulation

With so much of today’s business depending on the digital economy, the regulation and protection of personal data is a high priority across the globe. As of May 25, 2018, the European Union (“EU”) General Data Protection Regulation (“GDPR”), which governs consumers’ private information and is intended to give EU citizens control of their personal data, takes effect.

The GDPR applies to both data controllers as well as data processors. Under the GDPR, a controller is a, “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data,” while the processor is a, “person, public authority, agency or other body which processes personal data on behalf of the controller.” With regard to territorial reach, the GDPR applies to any organization operating within an EU member state, as well as any organization outside of the EU that offer goods or services to customers or businesses in the EU. This means that the EU law is likely to impact businesses globally, including those in the United States that hold personal data of EU citizens. Failure to comply with GDPR can result in a number of penalties. Organizations can face sanctions and fines ranging from 10 million euros to four percent of the company’s annual global turnover. Additionally, an EU citizen has a private right to sue for violations.

How Does the GDPR Apply to Businesses?

Generally speaking, the GDPR focuses on requiring organizations to have consent to possess personal data. Consent must be freely given, specific, informed, and unambiguous. Requests for consent should be separate from other terms and must be in clear and plain language. A data subject’s consent to processing of their personal data must be as easy to withdraw as to give. Additionally, consent must be “explicit” for sensitive data. The GDPR gives data subjects a number of important rights that allow for self-control of personal data, including:

  • The right to know exactly what personal data an organization has about them without undue delay and the right to have incomplete personal data completed;
  • The right to erase personal data (“right to be forgotten”) from the organization’s records when processing is no longer necessary; and
  • The right to prevent further processing of personal data (“restriction”) under a number of different circumstances.

Aside from the technical changes required by the legislation, there are a number of steps your business can take to ensure you are legally protected and in compliance with the GDPR.

  • Analyze the legal basis on which you use personal data: Determine whether your use is in compliance with the GDPR or any other privacy-related regulation. You must also consider what data processing you undertake.
  • Bear in mind rights of data subjects: Ensure business and legal operations are capable of supporting the rights of data subjects provided within the GDPR in an efficient manner.
  • Check your privacy notices and policies: The policies and notices displayed on your digital platforms are the basis for which consent is received. It is wise to have your policies and notices reviewed to ensure compliance with the GDPR.

Speak to an Attorney Right Away

The GDPR is a broad and large piece of legislation intended to have global impact. If you have any questions or are unsure whether the GDPR applies to you and whether you are in compliance with its requirements, the attorneys at Sparks Law would be happy to help!