ARE YOU COMPLIANT WITH THE EU GDPR? (General Data Protection Regulation)

Even if you were not subject to the European Union (EU) Data Directive, you may be subject to the GDPR, which came into effect on May 25, 2018, given its broader territorial scope and that data processors are now directly regulated. In addition, the GDPR broadens pre-existing data processing requirements and includes tougher sanctions for non-compliance.

What is the GDPR?

The GDPR is a European regulation that governs the processing of personal data (data concerning a natural person). "Processing" includes the collection, storage, use, disclosure, or retrieval of personal data. It also contains provisions giving personal data subjects certain individual rights in connection with their personal data.

What is Personal Data?

The definition of "personal data" is broad. It includes virtually any information related to an identified or identifiable natural person (a "data subject").

Who Must Comply with the GDPR?

You may be subject to the GDPR even if you do not have a physical establishment in the EU. The GDPR applies to:

  1. controllers (those who determine the purposes and means of the processing of personal data) and processors (those that processes personal data on behalf of a controller) with an establishment in the EU regardless of whether the processing takes place in the EU, and
  2. a person or entity that offers goods or services to data subjects in the EU or that monitors their behavior as far as their behavior takes place in the EU, regardless of whether the person or entity has an establishment in the EU.

An establishment is not defined by a particular presence or legal form. According to the recitals in the GDPR, establishment "implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."

What Does the GDPR Require?

Controller Obligations

  • Obtain consent for or document other justification for processing activities and provide notice of processing activities
  • Implement special processes to address data collection and processing for children under 16
  • Implement and maintain appropriate data security measures
  • Implement "privacy by design" and "privacy by default"
  • Notify data protection agencies and data subjects of breaches, in certain cases
  • Perform Data Protection Impact Assessments (DPIAs, for short) and consult with regulators before performing certain processing activities
  • Honor and implement processes to address data subject rights
  • Implement appropriate monitoring/due diligence and data use agreements in connection with data processors
  • Maintain documentation of processing and compliance activities
  • Comply with cross-border transfer restrictions
  • Appoint a Data Protection Officer, if required
  • Cooperate with supervisory authorities

Processor Obligations

  • Maintain appropriate data security measures
  • Notify controllers of all breaches
  • Assist with DPIAs
  • Assist with processes to address data subject rights
  • Obtain consent from controllers for arrangements with sub-processors
  • Implement appropriate monitoring/due process and data use agreements in connection with sub-processors
  • Maintain documentation of processing and compliance activities
  • Ensure personal data is deleted or returned when processing activities end
  • Comply with cross-border transfer restrictions
  • Appoint a Data Protection Officer, if required
  • Cooperate with supervisory authorities

What are the Penalties for Non-compliance?

Penalties for non-compliance can be as high as €20 million or 4% of total global turnover from the prior year, whichever is higher. The penalties are clearly severe and if imposed could threaten the viability of many companies. Data subjects also are entitled to specific remedies under the regulation.

More Information

To view more resources, including the extensive GDPR Implementation Guide and GDPR Reference Checklist, click on the "Resources" tab at the top of this page.