Background: The European Parliament adopted the GDPR in April 2016, replacing an earlier data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
The GDPR protects the following types of personal data:
- Basic identity information such as name, address and identification number
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Who is subject to the GDPR? The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU “data subjects”. Therefore, it applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.
Simply put, “processing” personal data is basically collecting, recording, gathering, organizing, storing, altering, retrieving, using, disclosing, other otherwise making available personal data by electronic means.
Take for example, a company collects personal information from its customers (which identifies a given employee) in order to sell them products. In turn, the company provides that data to its shipping vendors and payment vendors to ship the products to the customers and to bill and collect payment from the customers. Both the company/seller and the shipping company/the payment company would be considered to “process” personal data and would be subject to the requirements of the GDPR.
Penalties: Under the GDPR, organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious violations. However, there is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. Companies must be able to show compliance by May 25, 2018.
If you own a business and have not yet undertaken an analysis to determine how the GDPR may impact you, contact our office to discuss what the next step is to ensure that you do not find yourself in the crosshairs of the EU for violating this new law.