The General Data Protection Regulation (GDPR) came into force across the EU last year and became directly applicable in all EU member states without the need for local implementation. This will also affect the US market and American businesses are furiously working towards compliance!
They have physically established presence in the EU, regardless of whether the processing takes place in the EU, including branches, representatives, subsidiaries, affiliates or agents;
- They offer goods or services to individuals and businesses, based in the EU (whether free or paid) including websites and other online services accessed by or targeting EU based individuals or businesses, particularly in the country’s native language; or
- They monitor EU residents’ behaviour, including internet-based online behavioural advertising or profiling activities.
- EU residents’ behaviour, including internet-based online behavioural advertising or profiling activities.
Global and US-based organisations must assess whether the GDPR is applicable to their data processing operations. This includes the analysis of an organisation’s business activities and processing of personal data in that respect, looking at various process flows, including by type of data subject – customers, suppliers, third parties, such as sub-processors, employees, marketing lists and others.
“Personal data” is very widely defined under the GDPR and examples include names, email addresses, telephone numbers, financial and payment details, location data and IP address, amongst others. Broadly, if you can trace an individual from data, it means you are dealing with personal data. Examples of “processing” of personal data include collection, recording, organisation, storing, retrieving, using, disclosing or deleting.
If data processing activities of an American or global business fall within the scope of the GDPR, the business will need to invest both time and funds to have the right documents in place, including policies, privacy notices and contractual provisions.
In addition, the appointment of a Data Protection Officer may be necessary, as well as internal training to management and staff and changes to existing procedures and systems.
The consequences of non-compliance with GDPR will likely make a significant impact on any business and include:
- Up to 10 million Euros or 2% of annual worldwide turnover, whichever is greater, for breaches of (mainly) record keeping, contracting and security clauses;
- Up to 20 million Euros or 4% of annual worldwide turnover, whichever is greater, for breaches of (mainly) basic principles, data subject access requests, transfer to third countries and non-compliance with an ICO order (in the UK);
- Management time for internal investigations and cooperation with the authorities; and
- Damage to reputation
Although the GDPR compliance deadline is fast approaching it’s not too late! To consult with LawBite’s GDPR lawyer Alla Fairbrother, please submit an enquiry for a free 15-minute consultation or call our dedicated GDPR Hotline 0845 241 1843.
We have also put together a special LawBite Rescue GDPR Package for clients who need a little extra last-minute help with compliance. In addition to 12 GDPR compliant templates the package contains a 30-minute GDPR audit consultation and 2 hours of specific GDPR legal advice for only £495 + VAT (versus £675 + VAT).
If you haven’t yet, please do take advantage of our next FREE GDPR Webinar on the 9th May at 12 pm you can register here.