EU General Data Protection Regulation: It’s Coming – Are You Ready? Yes, I Mean You.

December 2017

If you do business in the European Union (EU) or gather information from or about EU residents, then you may need to comply with the EU’s General Data Protection Regulation (GDPR), or you could face significant fines.

What is the GDPR?

The GDPR is an extensive new data protection framework that comes into effect on May 25, 2018. The GDPR is far-reaching not only in its protections of personal data, but also in its territorial effect. Any organization that offers goods or services to, or monitors the behavior of, EU residents may be subject to the GDPR.

What does this mean to you?

The GDPR regulates processing of EU residents’ personal data. “Personal data” is defined in the GDPR as anything relating to an identified or identifiable individual person. Personal data includes a person’s name, email, location data, online identifiers, and ID numbers. The “processing” of personal data broadly includes any operation that can be carried out on or with data. It includes collection, recording, organization, structuring, storing, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure or destruction of data.

Because these definitions are so expansive, if your business receives or stores any information about EU residents, you may need to comply with the GDPR.

What is required under the GDPR?

Entities subject to the GDPR must adhere to its requirements when processing personal data from EU residents. Specific requirements depend on what personal data you process, how you process it, and whether you are a data controller (the party that determines the purposes for which, and the way in which, personal data are processed) or a data processor (the party that processes personal data on behalf of the data controller).

The following are some of the requirements of the GDPR:

  • A subject business must implement measures to mitigate risks inherent in the processing of data. The degree of effort invested in a particular security measure must be based on the risk present in a particular setting or application. For example, a business processing the personal data of thousands of EU data subjects is expected to implement stronger security measures to protect such data than a business processing data for only a handful of data subjects.
  • A subject business must observe the rights the GDPR grants to data subjects, such as the “right to be forgotten.” This means that a business must have policies and procedures in place to ensure a data subject’s personal data are erased from all its systems.
  • Breach notification is mandatory in all member states when a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Notice must be given within 72 hours of first awareness of the breach. Data processors will also be required to notify both their customers and their controllers, “without undue delay,” after first awareness of a data breach.

What happens if your business does not comply?

Failure to comply with the GDPR could result in significant fines for each breach: from the greater of 10 million Euros (approximately $11,650,000.00) or 2% of annual worldwide turnover (which is annual sales volume net of all discounts and sales taxes), to the greater of 20 million Euros (approximately $23,300,000.00) or 4% of annual worldwide turnover, depending on the impact of the breach.

If you believe that your business could be subject to the GDPR, feel free to contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More