On May 25, 2018 a new regulation took effect in the European Union (“EU”) called the General Data Protection Regulation (“GDPR”). GDPR regulates how companies can process, collect, store, transfer, and/or use personal data from individuals in the EU. Consumers want to know what data is being collected and shared, as well as understand how it is being used. GDPR applies to all companies that process, collect, store, transfer, and/or use personal data, regardless of where the company is located. Personal data is broadly defined as information related to a natural person or “data subject” that can be used to directly or indirectly to identify the person. It can be anything from a name, an email address, or bank details, to posts on social networking websites, a photo, cookies, or a computer IP address.
GDPR requires that companies that do have access to such personal data implement certain security, information, and data protection protocols. Companies are also required to notify consumers and obtain consents related to the collection and use of such personal data and allow for an easy way for the individuals to revoke their consent. In addition, if others have access to the personal data provided to the company during the course of business, then it is important to hold those parties to the same standards required by GDPR, the extent of the obligations depending on whether the access consists of controlling, processing, or simply accessing the personal data.
The consequences for noncompliance are hefty: the greater sum of €20 million or 4% of a company’s annual earnings. Therefore, it’s important to assess what personal data your company has access to and how it uses it to ensure you’re in compliance. Although the burden of ensuring you’re in compliance might be costly and time-consuming, it will be much costlier and more time-consuming should you not be in compliance and get penalized or face a lawsuit.