All Fridays are special, but Friday, May 25, 2018 is even more special because the European Union’s General Data Protection Regulation (GDPR) goes into effect. If you are tempted to stop reading because HEY! this is the US not the EU, hang in there, because if your company handles data belonging to people in the EU, even just a small amount, the law likely applies to you.
The GDPR protects “personal data” of persons who are located in the EU. Personal data has a broad definition and includes “any information relating to an identified or identifiable natural person.”1 This can mean all kinds of information not just information that is private or sensitive – name, screen name, telephone number, email address, IP address, location, demographic information, credit card …the list goes on. The law applies to organizations inside the EU and organizations that “process” this personal data. Processing means a variety of activities done to personal data, namely, collection, transmission, storing, erasure, etc. The GDPR expands the territorial reach of privacy laws by applying to three types of organizations: 1) Entities with establishments in the EU or service providers to EU companies; 2) Entities with process activities related to offering goods and services to people in the EU – even if for free. Offering goods and services can include targeting customers, advertising or shipping products to them, or even using the countries languages or currency; 3)Entities that monitor the behavior of EU residents when that behavior takes place in the EU. This includes activities like profiling using a person’s online information, using cookies to collect information about visitors to your website, including locations of users and IP addresses.
If you fall into one of these categories, engage in these activities, or plan to expand into the EU, then the GDPR likely applies to your business and you will have to into compliance as a processor of personal data. There are many aspects of this compliance, but the underlying theme is that EU residents have more control over their data by requiring (among many other things): a business to have a lawful reason for collecting the data in the first place, business disclose what it is going to do with the personal data; a business seek consent from individuals before doing so (consent must be specific and informed), a business provide adequate protection and security of personal data and follow rules around the transfer of this data; and a business must provide a way to correct personal data and erase personal data without delay. And let’s not forget about the fines for violating the GDPR, which are huge (the maximum fine being 20 million EURO). Any person who suffers material or non-material damage because of violation the GDPR has the right to seek compensation, creating a direct liability for the processors of data.
The first step will be to determine if your business is covered by the GDPR. Equinox can help navigate this complex regulatory landscape.
1 Art. 4, ¶ 2, GDPR.
2 Art. 82, ¶¶ 2–3, GDPR.