GDPR – General Data Protection Regulation
ARE YOU COMPLIANT WITH THE EU GDPR? (General Data Protection Regulation)
Even if you were not subject to the European Union (EU) Data Directive, you may be subject to the GDPR, which came into effect on May 25, 2018, given its broader territorial scope and that data processors are now directly regulated. In addition, the GDPR broadens pre-existing data processing requirements and includes tougher sanctions for non-compliance.
What is the GDPR?
The GDPR is a European regulation that governs the processing of personal data (data concerning a natural person). Processing includes the collection, storage, use, disclosure, or retrieval of personal data. It also contains provisions giving personal data subjects certain individual rights in connection with their personal data.
What is Personal Data?
The definition of personal data is broad. It includes virtually any information related to an identified or identifiable natural person (a data subject).
Who Must Comply with the GDPR?
You may be subject to the GDPR even if you do not have a physical establishment in the EU. The GDPR applies to:
- controllers (those who determine the purposes and means of the processing of personal data) and processors (those that processes personal data on behalf of a controller) with an establishment in the EU regardless of whether the processing takes place in the EU, and
- a person or entity that offers goods or services to data subjects in the EU or that monitors their behavior as far as their behavior takes place in the EU, regardless of whether the person or entity has an establishment in the EU.
An establishment is not defined by a particular presence or legal form. According to the recitals in the GDPR, establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
What Does the GDPR Require?
Controller Obligations
- Obtain consent for or document other justification for processing activities and provide notice of processing activities
- Implement special processes to address data collection and processing for children under 16
- Implement and maintain appropriate data security measures
- Implement privacy by design and privacy by default
- Notify data protection agencies and data subjects of breaches, in certain cases
- Perform Data Protection Impact Assessments (DPIAs, for short) and consult with regulators before performing certain processing activities
- Honor and implement processes to address data subject rights
- Implement appropriate monitoring/due diligence and data use agreements in connection with data processors
- Maintain documentation of processing and compliance activities
- Comply with cross-border transfer restrictions
- Appoint a Data Protection Officer, if required
- Cooperate with supervisory authorities
Processor Obligations
- Maintain appropriate data security measures
- Notify controllers of all breaches
- Assist with DPIAs
- Assist with processes to address data subject rights
- Obtain consent from controllers for arrangements with sub-processors
- Implement appropriate monitoring/due process and data use agreements in connection with sub-processors
- Maintain documentation of processing and compliance activities
- Ensure personal data is deleted or returned when processing activities end
- Comply with cross-border transfer restrictions
- Appoint a Data Protection Officer, if required
- Cooperate with supervisory authorities
What are the Penalties for Non-compliance?
Penalties for non-compliance can be as high as €20 million or 4% of total global turnover from the prior year, whichever is higher. The penalties are clearly severe and if imposed could threaten the viability of many companies. Data subjects also are entitled to specific remedies under the regulation.
More Information
To view more resources, including the extensive GDPR Implementation Guide and GDPR Reference Checklist, click on the Resources tab at the top of this page.
Podcasts
Videos
People
Resources
Click on any of the resources below to learn more about the upcoming changes in the EU General Data Protection Regulation and how to be prepared.
- GDPR Implementation Guide: Key Provisions and Implementation Considerations
- GDPR Reference Checklist: A Quick Checklist for Organizations That Must Comply
- GDPR Presentation at ACCWESTSCT: You Can Run (Swim, or Fly), but You Can’t Hide – the EU General Date Protection Regulation (GDPR) on the U.S. Doorstep
GDPR Briefings – Webinar Series1
- The GDPR Comes into Force on May 25th: Are You In or Out? If your company is still on the fence about the GDPR, the clock ran out. Here are the key questions to ask and the basic actions to consider.
- Are Your Contracts with Data Processors GDPR-Ready? Hint: There is No Grace Period After May 25th. The GDPR came with a new set of requirements for contracts between controllers and processors. Is your company compliant?
- Before You Post that DPO Job Listing: When Does the GDPR Require Companies to Have A Data Protection Officer? The GDPR requires some companies to appoint a Data Protection Officer. Is your company one of these?
- Do Your Company’s Privacy Disclosures Need Review? The GDPR ups the ante for transparency in privacy disclosures to data subjects. Legacy disclosures from the days of the Directive may not cut it.
- Is Your Company on the Data Analytics Bandwagon? The GDPR Has Some Words of Advice and Caution Monitoring and profiling EU data subjects is one way for non EU companies to fall within the reach of the GDPR. And the GDPR lays down some new requirements for compliant monitoring.
- Don’t Panic, Just Triage: Last-Minute GDPR-Readiness Tips for the Serious Procrastinator. Basic tips for putting a meaningful ‘work in progress’ GDPR program into place.
1 Note: This webinar series was prepared and published in Spring 2018, prior to GDPR’s implementation date of May 25, 2018. All information in these webinar programs are limited to the information available as of their original publication.