The General Data Protection Regulation (“GDPR”) will come into effect this Friday, May 25, 2018 and will repeal and replace the European Union’s current data protection laws. No grace period for compliance is provided and therefore, organizations must take action now to comply with the new regulations.
What is the GDPR? The GDPR is Europe’s new framework for data protection laws. It regulates and protects the processing of personal information. It outlines new data protection laws and principles and expands on the privacy rights previously granted to individuals. The GDPR ensures that businesses are transparent about the personal data they handle and requires that they have a legitimate interest in storing and using personal information. It will therefore have a major impact on the policies and procedures of businesses surrounding the handling of personal data for both clients and employees and on contracts between companies exchanging and handling personal data.
Within the GDPR there are a number of key changes for the public, as well as businesses and bodies, that handle personal information, but the first to grasp is the large territorial scope of the new legislation. The GDPR will apply to organizations “established” in Europe, but more importantly, will also apply to any organization offering goods or services (even if no payment is required) to individuals within EU countries, whether or not established in Europe.
The mere accessibility of a website from Europe or the use of a language generally used in the country where the organization is located does not trigger the extra-territorial effect of the GDPR. However, Supervisory Authorities will look at factors such as use of a language or currency generally used in one or more European Union member states, with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in Europe. The existence of such factors could trigger the extra-territorial effect of the GDPR.
In addition to a much wider territorial scope, the GDPR also contains a broader definition of personal data. The expanded definition now includes cookie IDs and IP addresses, and even a customer’s email address.
The GDPR also provides expanded rights for individuals. Data subjects will now have the right:
- to be informed,
- to access their data within one month and in most cases without a fee being charged,
- to request the rectification of data,
- to restrict the processing of data,
- to object to the use of data,
- to request the portability of data to another data controller, and
- to demand the erasure of their personal data.
Finally, companies must have a lawful purpose and basis for holding and processing personal data. A lawful purpose under the GDPR will include the performance of a contract or compliance with a legal obligation.
All organizations that are not in compliance with the new data protection regulations risk facing heavy fines. Supervisory authorities can impose fines of up to 4 percent (4%) global turnover or €20,000,000, whichever is higher, for breaches of the GDPR.
Given the high level of accountability placed on businesses obtaining personal data, they are now required to implement appropriate policies, set up security protocols, conduct privacy impact assessments and keep detailed records on data activities. It is therefore imperative that you consider today whether your organization falls under the extra-territorial scope of the GDPR, and if that be the case, consider whether you have sufficient policies and security protocols in place for the handling of personal information.
What do I do to comply with these new regulations? CowanPerry PC is available to discuss whether the GDPR applies to your business and what we can do to make sure your company policies and contracts are compliant with these new stringent data protection regulations. If you have any questions or would like to speak to one of our attorneys, please contact us at: CowanPerry Director of Client Services and we will be glad to assist you.