WHAT IS THE GENERAL DATA PROTECTION REGULATION AND DOES IT APPLY TO ME?
The General Data Protection Regulation, or GDPR, is a massive data protection or privacy law emanating from the EU.
Because of its low triggering mechanism, it will apply to most organizations, regardless of where they are located. For the law to apply, an organization merely has to offer its products or services to an EU resident, be established in the EU, or be engaged in widespread website behavioral monitoring.
The GDPR goes into effect on May 25, 2018. The goal of the law is simple: to give control of personal data back to the individual. While simple in theory, the law is dense and complex and of the 99 different articles in the GDPR, a full 39 require companies to document and be able to provide evidence of compliance. This is called the Accountability Obligation and is a central theme to the law.
The GDPR requires companies to have a comprehensive understanding of all the data they collect, whether it’s personal data or not, and how they use it. Specifically, companies must look at every single process and line of software code and go through a privacy impact assessment to determine if there is a privacy risk to the individual, whether she be a customer or employee. Then, for each data element collected and used, the company must determine if it has a legal basis to collect that data.
WHAT IS THE RISK OF NON-COMPLIANCE AND WILL THE GDPR BE ENFORCED?
The GDPR has real teeth to it. Penalties and fines can be as high as 4% of annual revenue or £20 million, whichever is greater. Furthermore, for the first time, class action litigation is also allowed, resulting in exposure to both regulatory enforcement and private litigation for the same transgression. We can anticipate robust enforcement from the data protection authorities, and they have been kind enough to signal that their priority enforcement actions will focus on transparency –how openly and honestly a company communicates its data practices—and whether they obtain valid consent, especially for the ubiquitous website data collection occurring on all websites.