Doing Business in Europe? New Privacy Rules Go into Effect May 25

The General Data Protection Regulation (GDPR), which replaces the 1998 Data Protection Act, is a new series of privacy regulations that apply to anyone who stores or processes personal information of European Union citizens or residents, regardless of a company’s physical presence in Europe. An implementation deadline of May 25, 2018 has been set by the European Union, and North American firms who deal with clients overseas need to be in compliance or face hefty fines.

The GDPR defines personal information as anything that can be used to identify a person – an identification number, bank account number, or simply a name and email address. If personal data is involved in a data breach then the individual must be notified within 72 hours of discovery. Under the GDPR, individuals have other enhanced rights including:

  • The right to erasure, also known as the right to be forgotten. An individual has the right to request their data be deleted, including any backups or cloud storage.
  • The right to be informed. Firms are obligated to provide fair processing information, typically through a privacy notice, which is written in clear language rather than legal jargon.
  • The right to object. Individuals can object to the processing of their data and to direct marketing.

Organizations that process personal data must have a lawful basis for doing so. GDPR outlines six bases, including fulfilling a necessary contractual obligation for clients or obtaining explicit (rather than implied) consent. Firms must determine the lawful basis, and document it, before processing.

If one thing is clear about the GDPR, it’s that whatever you do, it must be documented. This documentation could be the duty of a Data Protection Officer (DPO), which organizations are required to appoint in some circumstances, such as when information is processed on a large scale. The DPO has responsibility for data protection compliance and is the first point of contact for any data protection activities. The GDPR allows for this position to be an existing employee, as long as there is no conflict of interest and the professional duties are compatible.

Questions your firm should be asking: 1) Is your privacy notice written clearly? 2) Do your processes uphold privacy by design? 3) Do you have a breach notification plan? 4) Do you engage a third party to process any personal data?

Those found in violation of the GDPR could be fined up to 4% of their annual revenue, or €20 million, whichever is greater. However, according to the European Commission, the most important aspect of the GDPR is that it allows for client trust and confidence that their sensitive personal information is being handled with appropriate care. Only 15% of people feel they have complete control over the information they provide online, the commission says.

Helpful resources: