Part I: The Basics
In Part I of this three part series, which will explore the ins and outs of the recently enacted GDPR, I will review the basics of this new law, which was recently enacted in the European Union. Because this law is still very new, few know exactly how it will be implemented and enforced. The GDPR itself leaves much room for interpretation. Many companies outside of the European Union, including those in the United States, want to know whether they are subject to the GDPR at all. I will cover those issues in this Part I, below.
In Part II of this series, I will dive deeper into the nuts and bolts of the law, exploring the relevant definitions and role players required to help keep companies in compliance with the GDPR.
In Part III of this series, I will review those steps that companies that fall within the scope of the GDPR should take in an effort to comply with the GDPR.
What Does GDPR Mean?
GDPR is an acronym for the General Data Protection Regulation, a new set of privacy laws enacted at the end of May 2018 in the European Union. In essence, it is a regulation that requires businesses to protect the personal data and privacy of EU citizens handled in connection with transactions and the monitoring of such data.
The enactment of the GDPR marks the most significant change to European data privacy and security protections in over twenty years. It replaces the EU’s Data Protection Directive, which went into effect in 1995.
When Was It Enacted?
The GDPR was enacted in the EU on May 25, 2018.
What Types of Privacy Data Does the GDPR Protect?
Basic identity information such as name, address and ID numbers
Web data such as location, IP addresses, cookie data and RFID tags
Health and genetic data
Racial or ethnic data
Sexual Orientation and sex life
Religious and philosophical beliefs
Trade union membership
Those categories set forth, above, which are in bold are considered special categories of personal data, the processing of which is prohibited under the GDPR unless one of several conditions applies, including, for example, where the data subject has given explicit consent or where there is a substantial public interest.
What Does the GDPR Require?
In short, the requirements of the GDPR are vague and left open to much interpretation, often requiring the use of the “rule of reason”. The laws require that companies must provide a “reasonable” level of protection for personal data, but the laws do not precisely define what constitutes “reasonable”.
Nevertheless, we know that the standards that will be implemented will be quite high and compliance will be rigorous and will require most companies to make a large investment to maintain and to administer overall data protection plans and strategies necessary to comply with the laws.
Do Businesses In the United States Have To Comply With GDPR?
Many will, yes. Under Article 3 of the GDPR, a company may be subject to the new law if it processes the personal data of an individual residing in the EU when the data is accessed. This is certainly the case where the processing of such information is done in connection with the offering of a good or services or the monitoring of behavior that takes place in the EU.
Additionally, the GDPR can apply even if no financial transaction occurs. For example, if your company, although located in the United States, nevertheless maintains an Internet presence (as most businesses do in 2018), is selling or marketing products over the Internet, or even offers a marketing survey globally, it may be subject to the regulations.
Although your company may not fall within the purview of the regulations if it is merely using general marketing tactics such as Google Adwords (even if an EU resident finds his/her way to your site as a result), if you: (i) intentionally pursue EU residents; (ii) accept the currency of EU countries; (iii) maintain a webpage which has a domain suffix for an EU country; (iv) offer shipping services to an EU county; (v) provide translation in the language of an EU country; or (vi) market in the language of an EU country, the GDPR will likely apply to your company.
Specifically, companies that meet any of the following criteria fall within the purview of the law:
A presence in an EU country
No presence in the EU, but it processes personal data of EU residents
It employs more than 250 employees
It employs fewer than 250 employees, but its data-processing: (i) impacts the rights and freedoms of data subjects; (ii) is not occasional; or (iii) includes certain types of sensitive personal data.
For this reason, all U.S.-based companies with a strong Internet presence should carefully consider whether their business activity falls within the scope of the GDPR.
What Are The Penalties If Your Business Does Not Comply?
If your company is required to comply with the GDPR and fails to comply with the GDPR, the GDPR allows for the imposition of significant penalties and fines. Such penalties and fines are calculated based on the company’s global annual turnover of the preceding financial year and can reach up to 4% or the equivalent of 20 million Euros, whichever greater, for serious breaches; and 2% or 10 million Euros, whichever is greater, for lesser violations.
Although authorities charged with imposing such fines and penalties have publicly indicated that provided companies are making good faith efforts to comply with the law they will likely not impose harsh fines for non-compliance at the onset, it is nevertheless a good idea to start immediately making concerted efforts to comply with the GDPR regulations if you believe they apply to your company.
In What Situations Does GDPR Apply?
The scope of the GDPR is far-reaching. Some of the areas where the laws certainly will apply include:
Credit card processing
Marketing studies and research
M & A Due Diligence
Data transfers and licensing
Labor and employment
Human Resources operations
The prosecution of business crimes and handling of investigations