With so much of today’s business depending on the digital economy, the regulation and protection of personal data is a high priority across the globe. As of May 25, 2018, the European Union (“EU”) General Data Protection Regulation (“GDPR”), which governs consumers’ private information and is intended to give EU citizens control of their personal data, takes effect.
The GDPR applies to both data controllers as well as data processors. Under the GDPR, a controller is a, “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data,” while the processor is a, “person, public authority, agency or other body which processes personal data on behalf of the controller.” With regard to territorial reach, the GDPR applies to any organization operating within an EU member state, as well as any organization outside of the EU that offer goods or services to customers or businesses in the EU. This means that the EU law is likely to impact businesses globally, including those in the United States that hold personal data of EU citizens. Failure to comply with GDPR can result in a number of penalties. Organizations can face sanctions and fines ranging from 10 million euros to four percent of the company’s annual global turnover. Additionally, an EU citizen has a private right to sue for violations.
Generally speaking, the GDPR focuses on requiring organizations to have consent to possess personal data. Consent must be freely given, specific, informed, and unambiguous. Requests for consent should be separate from other terms and must be in clear and plain language. A data subject’s consent to processing of their personal data must be as easy to withdraw as to give. Additionally, consent must be “explicit” for sensitive data. The GDPR gives data subjects a number of important rights that allow for self-control of personal data, including:
Aside from the technical changes required by the legislation, there are a number of steps your business can take to ensure you are legally protected and in compliance with the GDPR.
The GDPR is a broad and large piece of legislation intended to have global impact. If you have any questions or are unsure whether the GDPR applies to you and whether you are in compliance with its requirements, the attorneys at Sparks Law would be happy to help!