Have you thought about whether your business can, or must, comply with the GDPR? The European Union’s (EU) GDPR (General Data Protection Regulation) becomes enforceable on May 25, 2018. The GDPR covers any entity that collects or processes the personal data of individuals in EU countries (including the UK), no matter where the entity is located or where the processing takes place, in connection with offering goods or services to individuals in the EU or as a result of monitoring individuals in the EU. Only a short window remains to assess whether your business must comply and, if so, to put the requisite compliance programs in place.
Entities of all sizes that engage in such activities are covered. Ulmer has assisted not just multinational corporations, but even small local businesses that might have to comply with the new regulation. For instance, an Ohio home-based mail order company that collects customer names and credit card information of EU residents to take orders through its website, or a regional data processing company with only ten employees that analyzes European customer data for other manufacturing companies for marketing purposes, may be covered entities under the GDPR.
The GDPR is a regulation designed to allow covered Data Collectors and Data Processors to look to “standardized clear rules” throughout the EU, instead of having to comply with different sets of procedures in each EU member country. Failure to comply will result in significant fines, up to the greater of 4% of an enterprise’s worldwide income or 20 million euros per infringement. The GDPR requires enhanced cybersecurity measures and recordkeeping, and notification to the appropriate EU Data Privacy Agent (DPA) of a breach “without undue delay,” and where feasible within 72 hours. A covered entity may also need to modify existing privacy notices and third-party supply chain or vendor contracts to ensure that they are compliant.
Where the “core activities” of the entity involve regular and systematic monitoring of individuals (called “data subjects”) on a “large scale,” or such core activities involve processing sensitive personal data on a large scale, the entity will also need to appoint a Data Protection Officer (DPO) to monitor compliance.
The basic steps necessary to ensure GDPR compliance include:
Delay is not an option! The GDPR can be enforced by the EU member states’ DPAs, but data subjects and third-party non-profit groups acting on behalf of groups of similarly situated data subjects are also empowered to file suit over a violation, even absent material financial damages. Although it is difficult to predict how and where the GDPR will initially be enforced, it is critical that every potentially covered entity assess whether it must comply and, if necessary, come into compliance, before the deadline.