September 18, 2018

September 18, 2018

Subscribe to Latest Legal News and Analysis

September 17, 2018

Subscribe to Latest Legal News and Analysis

GDPR Countdown: Just Days until May 25

What is the GDPR?

The EU General Data Protection Regulation is the EU’s most important data and privacy policy change in the past 20-years. GDPR was approved by the EU Parliament on April 14, 2016, with an effective date of May 25, 2018. GDPR will replace the Data Protection Directive 95/36/EC, in an effort to create concerted privacy laws throughout the EU, increase privacy protections for citizens, and limit the ways in which companies can collect personal data. With every other story in the news dealing with privacy concerns, data breaches; and major class actions stemming from these cybersecurity missteps against big name companies; data privacy is imperative for all companies to prioritize.  The GDPR goes into effect on May 25, 2018.  Is your company ready?

Who is Impacted by GDPR?

Many US companies are asking if they are impacted by GDPR--and the answer is yes, US companies are liable to GDPR provisions in many instances.  In fact, an important piece of GDPR is understanding who is impacted by GDPR, and the geographical scope is much larger than it may seem at first brush.  GDPR provides data protection and privacy for EU citizens, and it applies to all companies who are offering goods and services to the EU.  So even if your company is not based in the EU, you are liable to the regulations if you are collecting data from EU citizens, even if no financial transaction takes place.  If your company is collecting any kind of PII--Personally Identifiable Information--from EU citizens, the broader scope of the law kicks in. 

An Explanation of Some Key GDPR Terminology

In order to comply with the provisions of GDPR, it’s important to understand the data terminology used by the regulations. Below are some of the major terms, defined.

Who is a Data Processor and Who is a Data Controller?

A scenario, if your company XXX, sells a product to EU consumers and uses Ape Bulk emailing system to email EU clients or potential clients on behalf of XXX and Ape tracks readership and engagement, and other email activity data, your company XXX is the data controller, and Ape Bulk emailing system is the data processor.  This can be construed even broader if your firm has a website which EU subjects can access, the personal data regulations may be triggered if you have any type of readership analytics associated with your website.

Whether your company is a data controller or data processor matters, but you’re not off the hook for GDPR compliance if you are a data controller. Generally, GDPR treats the data controller as the responsible principal party for collecting consent, managing the revoking of consent, and enabling data access.   A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers. However,  Article 28 Sec requires data controllers to select only those data processors that can provide sufficient guarantees that the processor will comply with the GDPR and implement “appropriate technical and organizational measures” to protect the data. So controllers are legally obligated to select processors that are prepared for GDPR compliance.

Data processing under GDPR extends to several activities. These include operation(s) of personal data or sets of personal data, to include storing data, retrieval, erasure or destruction, or otherwise adapting or altering data sets. The use of legal contracts in a business setting, collection of employee information to provide to government agencies for tax filing (or other purposes), performing an internal administrative process (internal payroll services), or processing data to collect payment information, are some instances when data processors and controllers may process data, without the data subject’s consent. This applies regardless of industry-sector.

To be clear, while data processors are doing the work of complying with privacy regulations, data controllers are liable for selecting data processors that can comply with those regulations.  If the Data Processor does not adequately perform the tasks required by GDPR, the Data Controller is responsible-and liable.  Liable to the tune of Up to €20 million… or four percent of your total worldwide annual turnover of the previous financial year, whichever is higher. 

Will the UK Be Affected by GDPR with the Impending Brexit Split?

As previously discussed, any company which operates in the EU, sells to EU residents, or collects data, privacy, and personal information from EU citizens will be subject to  GDPR. Although Brexit has been finalized, UK companies are still affected by GDPR, as the UK will remain a member-state through March 2019.

Once Brexit occurs, the UK will be treated as a third-party country, which will still be affected by GDPR policies, if the country engages in the collection of personal information, research, or other services with EU-member state residents.

Takeaways

GDPR is meant to synthesize data regulations across the EU, to create a more hospitable environment for business by making data requirements uniform--to smooth out data transfers across the European Union.  Along with making the requirements consistent, the regulation is also designed to make sure EU citizens are offered a high level of data protection in today’s privacy-conscious world.  Ultimately, these regulations are designed to facilitate business in the EU, and many analysts believe that the regulations--while initially onerous--will ultimately benefit businesses operating in the digital sphere.

In the meantime, compliance is essential.  In our next installment, we will look at cookie disclosures and contract requirements, to help  data Controllers make sure data processors are compliant.  In our third installment, we will take a look at breach notification requirements under GDPR.

Copyright ©2018 National Law Forum, LLC

TRENDING LEGAL ANALYSIS


About this Author

jennifer schaller National Law Review  attorney legal publisher and speaker on Law Firm SEO and Legal Thought Leadership
Managing Director

Jennifer Schaller, Esq. is the Managing Director and co-founder of the National Law Review on-line edition.  Prior to the National Law Review, Jennifer most recently served as in-house counsel / director at CNA Surety. She also served in various marketing and business development roles as a vice president of Aon Services Group.  Jennifer started her legal career in as an insurance coverage attorney with Smith Amundsen, LLC in Chicago, IL.

In 2016-17, Jennifer is serving as the Vice Chairman for the Chicago steering committee for the Legal Marketing Association and on the Women...

708-357-3317
Eilene Spear legal news editor and writer at the National Law Review
Operations Project Manager & Lead Writer

Eilene Spear is the Operations and Projects Manager for the National Law Review.  She edits and formats author profiles, legal news content and legal event listings from prominent law firms who publish on the NLR website.

As Lead Writer, Eilene writes extensively on a variety of legal topics; including legal marketing topics, interviews with top legal marketing professionals and the newest trends in legal marketing.  Additionally, Eilene writes on issues affecting the legal industry, such as women attorneys and the challenges they face, along with challenges related to a lack of diversity in law firms. 

Additionally, Eilene works on various SEO projects and coordinating NLR staff on improvements to the NLR website and other marketing and outreach projects.  As part of her job with client services, Eilene reviews the National Law Review analytics, ensuring clients get the most out of their relationship with the National Law Review.  She enjoys working with clients and getting to know individual client goals, and helping clients realize those goals in their content marketing and thought leadership.

Additionally, she assists in various editorial, social media and marketing functions at the National Law Review. She is also a Certified Hootsuite Professional.  Eilene attends conferences and other legal marketing events to represent the National Law Review in the industry.

Eilene earned her Masters Degree in English from Truman State University, as well as a Bachelors Degree in Psychology and Criminal Justice.  She started with the National Law Review in Chicago, where she lived on the North Side and loved to run along Lake Michigan by the Foster Avenue Beach.  She relocated to Aurora, Colorado with her husband and two children, where they spend as much time outside as possible.  She's still a Cubs fan, though.

Please reach out to Eilene if you have any questions about the National Law Review.

708-357-3317