New Data Protection Regulation in the European Union

On May 25, 2018, the European Union (the “EU”) Parliament implemented the General Data Protection Regulation (the “GDPR”). The GDPR replaces the prior Data Protection Directive 95/46/EC, in an effort to create uniform data protection laws across the EU member countries. The GDPR was created in the spirit of transparency. The articles of the GDPR protect and empower the citizens of the EU by affording them more control over their personal data. The GDPR already has impacted how companies conduct business in the EU, specifically with respect to data collection and use. Additionally, the GDPR potentially may affect companies that collect and/or utilize data concerning an EU citizen, regardless of whether that citizen is located in the EU at the time of the data collection/use.

The EU currently consists of 28 member countries. That list still includes the United Kingdom, despite the well-publicized “BREXIT” (concerning which the United Kingdom is expected to depart the EU officially on March 29, 2019). Importantly, the GDPR protects all citizens of EU member countries, and the GDPR impacts business in several key ways:

  • territorial scope of the regulations and requirements;
  • requirements for clear, concise, and specific consent forms describing the means of data collection and storage, as well as the intended use(s) for any collected data;
  • hiring of an official data officer responsible for mapping and tracking all personal data of EU citizens while in the possession of a business; and
  • severe penalties for compliance violations.

Major Points
The GDPR dramatically increases the scope of EU data protection regulations. Prior to the GDPR becoming effective, companies that maintained their company data processing outside the EU were not subjected to EU-specific data protection regulations. However under the GDPR, any organization that monitors the behavior of EU data subjects, or processes and holds the personal data of residents in the EU, is subject to the regulations, regardless of physical location.

The first major shift in how companies conduct business with EU residents will be the new regulations regarding consent. Under the GDPR, a request for consent must be given in an understandable way, absent of vague or complicated terms or conditions consisting of mystifying legalese. Further, the consent form must state explicitly both: (i) the purpose for the data being requested; and (ii) everywhere such personal data will be stored. Beyond that, the form of the consent document must be independent of all other forms (i.e., terms of use, privacy policy, terms of service, etc.).

The second major shift will be the duty of companies to hire or appoint a Data Protection Officer (“DPO”). The DPO is responsible for the internal record keeping requirements of the GDPR. The DPO also is responsible for mapping out the personal data in a company’s possession to ensure that it is easily identifiable. That mapping and organization will be vital, at a minimum, based on: (i) the rights of EU citizens under the GDPR to request that their data be sent to them or erased at any time; and (ii) the duty of the DPO to notify any individual whose data may have been compromised immediately following a breach. The DPO also will be the direct correspondent to the Data Protection Authorities, which have an office in every EU member country. Finally, the DPO can be externally or internally appointed but must not perform any other tasks within the company that possibly could impede his or her position as the DPO.

Moving Forward
As the GDPR is brand new legislation, there exists little analysis and interpretation of the text to this point of course. Our recommendation to our clients is to review their existing policies and practices in light of the new GDPR requirements. Penalties under the GDPR can be up to four percent (4%) of a company’s annual global turnover or $23.4 million U.S. (depending on which is higher). We will continue to provide updates as this new area of the law develops. For more information on GDPR compliance and related inquiries, please contact us.

The material on this site is for general informational purposes only and is not intended to be, and should not be construed to be, legal advice. There shall be no liability accepted as a result of any improper reliance on the material on this site. A qualified lawyer should always be consulted with regard to any specific legal issue or problem.