General Data Protection Regulation (GDPR)
Kegler Brown Global Business News January 9, 2018
Smart Summary for International Businesses
- The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and will have broad implications for both EU and U.S. based businesses.
- The GDPR will apply not only to organizations located in the EU, but also to those located outside of the EU that offer goods or services to data subjects in the EU (including online sales), or that monitor the behavior of data subjects in the EU.
What is the GDPR?
The GDPR is a new EU data protection regulation with extra-territorial applicability. The GDPR will replace the existing EU Data Protection Directive.
Who does GDPR affect?
The GDPR applies broadly to all organizations that are established in the EU. The GDPR also applies to organizations established outside of the EU, if the organization:
- Offers goods or services (including online sales) to data subjects in the EU; or
- Monitors the behavior of data subjects in the EU; or
- Provides services to an entity described above
Clouds are not exempt from GDPR enforcement.
What constitutes personal data?
- Under the GDPR, personal data is defined broadly and includes any information related to a data subject that can be used to directly or indirectly identify the person.
- This includes the data subject’s name, photo, email address, bank details, medical information, and even online identifiers such as IP addresses and cookies.
Effective May 25, 2018, entities may be fined up to €20 million or 4% of global turnover (whichever is greater) for non-compliance with GDPR.
Data Subject Rights
The GDPR gives Data Subjects numerous rights that organizations must be familiar with, communicate and ensure access to. Some of those rights include:
- Breach Notification: Data Subjects must be provided within 72 hours of knowledge of the breach.
- Right to Access: Data Subjects may obtain confirmation as to whether or not their personal data is being processed, where, and for what purpose, at no charge.
- Right to be Forgotten: Data Subjects may demand deletion of their own personal data, cessation of further dissemination, and potentially have third parties halt processing of the data.
- Data Portability: Data Subjects may demand their own personal data to transmit to another controller.
- Privacy by Design: Data protection plans must be designed at the outset, rather than later.
- Data Protection Officers (DPO): Some entities must appoint a DPO expert on data protection law and practices, reporting directly to the highest level of management.
Kegler Brown’s Approach to GDPR
View our Privacy + Data Security team’s approach to information security issues related to global business operations by following this link.