Strategic Legal Counsel for Businesses located in WA, OR, ID, & CO!

Equinox Blog & Legal Updates

General Data Protection Regulation Goes Into Effect

May 26, 2018

All Fridays are special, but Friday, May 25, 2018 is even more special because the European Union’s General Data Protection Regulation (GDPR) goes into effect. If you are tempted to stop reading because HEY! this is the US not the EU, hang in there, because if your company handles data belonging to people in the EU, even just a small amount, the law likely applies to you.

The GDPR protects “personal data” of persons who are located in the EU. Personal data has a broad definition and includes “any information relating to an identified or identifiable natural person.”1 This can mean all kinds of information not just information that is private or sensitive – name, screen name, telephone number, email address, IP address, location, demographic information, credit card …the list goes on. The law applies to organizations inside the EU and organizations that “process” this personal data. Processing means a variety of activities done to personal data, namely, collection, transmission, storing, erasure, etc. The GDPR expands the territorial reach of privacy laws by applying to three types of organizations: 1) Entities with establishments in the EU or service providers to EU companies; 2) Entities with process activities related to offering goods and services to people in the EU – even if for free. Offering goods and services can include targeting customers, advertising or shipping products to them, or even using the countries languages or currency; 3)Entities that monitor the behavior of EU residents when that behavior takes place in the EU. This includes activities like profiling using a person’s online information, using cookies to collect information about visitors to your website, including locations of users and IP addresses.

If you fall into one of these categories, engage in these activities, or plan to expand into the EU, then the GDPR likely applies to your business and you will have to into compliance as a processor of personal data. There are many aspects of this compliance, but the underlying theme is that EU residents have more control over their data by requiring (among many other things): a business to have a lawful reason for collecting the data in the first place, business disclose what it is going to do with the personal data; a business seek consent from individuals before doing so (consent must be specific and informed), a business provide adequate protection and security of personal data and follow rules around the transfer of this data; and a business must provide a way to correct personal data and erase personal data without delay. And let’s not forget about the fines for violating the GDPR, which are huge (the maximum fine being 20 million EURO).  Any person who suffers material or non-material damage because of violation the GDPR has the right to seek compensation, creating a direct liability for the processors of data.

The first step will be to determine if your business is covered by the GDPR. Equinox can help navigate this complex regulatory landscape.

1 Art. 4, ¶ 2, GDPR.

2 Art. 82, ¶¶ 2–3, GDPR.

Related Articles

Sign Up For Our Newsletter!

By submitting this form, you are consenting to receive marketing emails from: Equinox Business Law Group PLLC, 11130 NE 33rd PL, Suite 120, Bellevue, WA, 98004, US, http://www.equinoxbusinesslaw.com.

230427-BHA-Icons_Survey_blue
Business Health Assessment

Don't let legal vulnerabilities hold your business back.

Get a complimentary, no-obligation report on the health of your business to uncover what you need to go boldly ahead.

 

7 min survey – get free 30+ page report