Is your business ready for General Data Protection Regulation, the EU privacy protection rules?

Is your business ready for General Data Protection Regulation (“GDPR”), the EU privacy protection rules?

The digital market has been rapidly advancing and reaching more people than ever before. Information is readily available through the use of electronic devices such as computers, cell phones, and smart devices, and global interactions are enhanced through social media sites such as Facebook, Twitter, and LinkedIn. With the recent rise of data security breaches, there is a global need for stricter data privacy regulations, and that is just what the European Union (EU) has created.

In May of 2016, the EU enacted the General Data Protection Regulation (GDPR) as a new framework for data protection laws. GDPR will be enforced beginning May 25, 2018 by the Information Commissioner’s Office (ICO). The main objective of this new regulation is to give EU citizens greater protection and rights over how their personal information is being used.

What is Protected and Who is Impacted
The GDPR will regulate the use, storage, and processing of personal (i.e. name, address, and IP address) and sensitive personal (i.e. religious/political beliefs, political opinions, and genetic/racial information) information. It protects personal data of EU citizens and affects organizations located in the EU and any organization outside the EU that process or hold EU citizens’ information, regardless of where the business is located. Therefore, this will not only affect EU companies, but may also impact U.S. domestic companies that do business overseas.

GDPR Rights and Requirements
EU individuals will now have more control over who and how their personal information is being managed. Citizens now must give clear and explicit consent to companies obtaining their personal information and have the right “to be forgotten,” in which their personal information can be erased if it is no longer used for its original purpose, there was no consent, or if it is unlawfully used. Individuals have the right to request (free of charge) and receive (within one month of the request) a report of any personal information an organization has about them. Citizens also have the right to be notified when there is a data breach and can sue for damages.

Companies will be held more accountable for the handling of citizens’ information. If any information is destroyed, lost, altered, or is used for an unauthorized purpose, it must be reported to the ICO and the individuals affected within 72 hours of the breach. Larger companies will also be required to document the reason information is collected and a description of what and how long it’s held, as well as data security measures in place. If the company processes sensitive information, it may also be required to have a data protection officer (DPO) to monitor GDPR compliance.

Noncompliance and Fines
If companies do not comply with the GDPR requirements, they may be subject to harsh and excessive monetary and/or legal fines. Fines may result up to the greater of €20 million or 4% of the company’s global revenue, which is significantly more than the current EU regulation. Companies may also be sued for material or nonmaterial damages by any individual whose was affected by noncompliance.

How GDPR will affect U.S. businesses
It is imperative that all EU companies that handle personal information of any EU citizen initiate measures to ensure compliance with the GDPR regulations. Since some U.S. domestic companies have foreign operations or websites that can be accessed by EU citizens, they will also be subject to the GDPR regulations if they access personal information. As a result, it is important for these companies to be knowledgeable about the EU laws and take precautionary measures in order to be in compliance with GDPR. This also presents a great opportunity for a competitive advantage for U.S. companies. Customers want to know that their information is safe and that data security is a top priority for companies. If businesses intimate some of these changes mandated in the EU, then customers may prefer GDPR compliant companies over others.

Article compiled by Lauren Swavely and Barry Groebel. For additional information contact the author by emailing