Big data futuristic visualization abstract illustration

A Giant Demanding Piece of … Restrictiveness: Do you need to pay attention to the coming GDPR?

A Giant Demanding Piece of … Restrictiveness: Do you need to pay attention to the coming GDPR?

August 28, 2017

A Giant Demanding Piece of … Restrictiveness: Do you need to pay attention to the coming GDPR?

By: Nicole Kardell

GDPR. If you see those letters and think it is an acronym for Gosh Darned Pain in the Rear (or an edgier equivalent) you are in large-part correct.  But if you don’t know any more than that, and you are a company with any ties to Europe, then you need to read further.

GDPR, the General Data Protection Regulation, is an extensive and broad-reaching regulation issued by the European Union dealing with how companies (including U.S. companies) process the data of people living in the E.U.  It replaces the E.U. Data Protection Directive and is slated to take effect May 25, 2018.

Companies that fall under the regulation’s requirements need to ensure (1) individuals’ data they are processing is secure in their hands, (2) that they have individuals’ consent to process it (or have an enumerated reason they don’t need consent), and (3) that they will keep individuals notified of individuals’ rights and developments surrounding the use of their data.

If you are a U.S.-based company, with little European presence, you may slough off the idea of getting into GDPR compliance. You may have analyzed the GDPR’s predecessor (the Data Protection Directive), decided that it didn’t implicate you, and assume the GDPR won’t implicate you either. Or you may have relied upon the Safe Harbor and assume you can continue to operate under that. Don’t draw assumptions. Don’t ignore the regulation. If you do, and you are ultimately found to have violated it, you could face some hefty penalties. Under the GDPR, there are two sets of thresholds for administrative fines[1]:

  • Up to €10million (almost US$ 12million) or up to 2% of global revenue, whichever is higher, for certain violations, including failure to implement data protection by design, failure to maintain written records, to report breaches when required; and
  • Up to €20million (almost US$ 24million) or up to 4% of global revenue, whichever is higher, for other violations, including failure to adhere to basic processing principals such as consent, notification of individuals’ rights, and international transfers.

These fines are meant to catch attention. Hopefully, they caught yours. They may inspire you to do a double take to see whether or not your business will be subject to the GDPR. The GDPR has a broader reach than the earlier Data Protection Directive. Moreover, the Safe Harbor is no longer valid.  It has been replaced by a “Privacy Shield” regime – which applies to data that companies transfer from the E.U. to the U.S.  But even the Privacy Shield is on shaky ground and it may not be enough to shield companies (so to speak) from liability for GDPR violations. GDPR is broader, covering information on E.U. residents even if the data is not transferred across borders – and instituting stricter measures in terms of how data should be handled.

Here are some questions you should ask to help you determine whether you need to prepare for the GDPR:

  • Do you have an E.U. office, or even a company representative who operates out of Europe?

If you have any real and effective European activity through stable arrangements (terms in italics represent terms used by E.U. courts to define implicated businesses), then you will be subject to the GDPR even if you do not process personal data in the E.U. So long as the data processed in the context of the European activities, the GDPR applies.

  • Are you outside of the E.U., but process data about E.U.-based individuals in connection with offering goods or services?

It does not matter whether or not there is any payment involved in the offer. Your offers can be free of charge and you are still implicated by the rule. So long as your company anticipates activity directed at E.U. individuals (e.g., you suggest items in E.U. currency or pay a search engine to increase access to E.U.-based people), you are implicated.

  • Are you outside of the E.U., but monitor the behavior of individuals in the E.U.?

If you track E.U.-based individuals online to create profiles, or to analyze or predict preferences, you are implicated.

The long and short is that, if you touch Europe, directly or remotely, in your operations and you process data that incorporates E.U. individuals, you should spend time assessing GDPR compliance.

For starters:

  • Review your E.U.-focused actual or directed information
  • Review the type of information you collect/use
  • Review the types of consent obtained and notifications on data usage provided
  • Review your service contracts to determine your company’s role in data processing and follow-on companies’ roles in data processing

[1] We will treat the E.U.’s ability to enforce these penalties in a later post, but assume they will be able to reach your assets.

Nicole Kardell

Nicole Kardell

Nicole is a certified privacy professional with expertise in European privacy law (CIPP/E), in particular GDPR. She helps companies navigate the changing face of privacy regulations and keep their business practices and partnerships in compliance with the law both domestically and abroad.

Related Practice(s)
Other Posts
New California Law Establishes Broad Protections for Children’s Online Privacy – Exceeding Federal Requirements
Oct 4, 2022

New California Law Establishes Broad Protections for Children’s Online Privacy – Exceeding Federal Requirements

By: Jake Gray
Telemarketing Restrictions During State of Emergency
Apr 7, 2020

Telemarketing Restrictions During State of Emergency

By: Nicole Kardell
One revision, two revisions … three revisions or more?: The California Attorney General Releases A Second Round of Edits to its Draft CCPA Regulations
Mar 17, 2020

One revision, two revisions … three revisions or more?: The California Attorney General Releases A Second Round of Edits to its Draft CCPA Regulations

By: Nicole Kardell
Putting the Brakes on Swift and Sweeping Adoption of Facial Recognition Technologies
Nov 12, 2019

Putting the Brakes on Swift and Sweeping Adoption of Facial Recognition Technologies

By: Nicole Kardell

Subscribe to Ifrah Law’s Insights