THE GENERAL DATA PROTECTION REGULATION (GDPR) is a comprehensive set of European Union (EU) data protection rules that became effective in May 2018. The GDPR applies to any company regardless of where it is located (including any US-based company) that collects, maintains or uses any personal data belonging to EU citizens. Failure to comply with the GDPR’s requirements can subject your company to fines of up to €20 million (approximately $23 million) or 4% of your company’s annual global revenue, whichever is higher. Businesses with less than 250 employees are exempt from some of the GDPR’s requirements but they still must comply with some of the more challenging aspects of the law. If your company is or may be handling the personal data of EU citizens, you should ensure that it is GDPR compliant to avoid any negative consequences.
In order to comply with the GDPR’s requirements, your company must, among other things, do all of the following:
Obtain Consent
Companies must obtain the consent of each EU citizen whose personal data they are collecting or processing. The consent must be clear and affirmative – meaning that a non-response or failure to object to a request for consent is not good enough. This is why many companies have added GDPR notices to their websites which require their website user to click a button consenting to the use of their personal data.
Grant Access To Personal Data
EU citizens can request copies of their personal data that the company has collected or processed. The company must provide the copies for free within one month of the request and the personal data must be provided in a commonly used format.
Delete Personal Data When Requested
EU citizens can request that a company delete their personal data and they can also request that the company stop sharing their personal data with any third parties. A citizen’s consent to use personal data can be revoked at any time.
Notify Any Data Breaches
If a breach of personal data belonging to EU citizens occurs, the company must notify the applicable EU agency within 72 hours of the breach. In some scenarios, the company must also notify the individuals affected by the breach.
Implement Data Security Procedures
Companies must implement GDPR-compliant policies, procedures and systems. They must also take appropriate measures to ensure the personal data they collect is only used for its intended purpose.
Appoint A Data Protection Officer
Companies collecting or processing EU citizens’ personal data must appoint a data protection officer (DPO). The DPO can be a member of the staff or an outside contractor.
Obtaining GDPR compliance is a difficult process. Once compliance has been established, your company should also implement appropriate policies and procedures to ensure that it will be maintained on an ongoing basis. In order to ensure that your company is complying with the GDPR, or to help determine whether your company needs to comply with the GDPR, you should consult with an attorney who is familiar with its requirements. For more information, please contact Mark W. Klein (mklein@brodywilk.com).