One Year Until GDPR; Is Your Organization Prepared?
The General Data Protection Regulation (“GDPR”) is a sweeping piece of legislation that expands and largely unifies patchwork privacy regulations across the European Union. Its purpose is to offer comprehensive protections for the individual privacy rights of individuals in the European Union, but the requirements will affect organizations worldwide.
The GDPR regulates all “personal data,” which is broadly defined as “any information relating to an identified or identifiable natural person.” The regulation encompasses organizations with a European Union presence as well as non-European Union organizations offering goods and services to individuals in the European Union (e.g. through a website) or monitoring the behavior of individuals in the European Union (e.g. through website cookies). Additionally, the GDPR applies not only to controllers (entities that determine why and how personal data is processed), but also to processors (entities who process personal data at the direction of controllers).
The regulation takes effect on May 25, 2018. Starting that day, organizations that do not comply with GDPR requirements will immediately be exposed to penalties of up to €20,000,000 or 4% of their worldwide annual global turnover—whichever is greater.
To prepare for GDPR compliance, organizations may need to develop or amend their:
Consent mechanisms for the collection and processing of personal data;
Privacy impact assessments;
Data security measures;
Vendor and customer contracts;
Documented bases for transferring personal data across international borders;
Ability to support individual rights requests including the rights to:
Object to processing;
Record retention policy;
Data breach incident response plan; and
Privacy and cybersecurity training.
Additionally, certain organizations will be required to retain one or more data protection officers to oversee and monitor compliance with the GDPR.
Given the extensive scope of GDPR mandates and the magnitude of potential penalties for non-compliance, now is a good time to evaluate your organization’s readiness for GDPR and begin the process of filling in any gaps. Maynard Cooper’s Cybersecurity & Privacy team can help navigate this process by:
conducting GDPR-applicability assessments and GDPR-readiness evaluations;
reviewing, drafting, or revising contracts, notices, and policies to ensure external-facing information satisfies GDPR requirements; and
developing, updating, or implementing GDPR-compliant privacy and information security programs, procedures, and training within your organization.
We welcome your questions about the GDPR or any other global privacy and cybersecurity requirements. For more information, please contact any member of our team listed below.
This Client Alert is for information purposes only and should not be construed as legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information or an explanation about the matters discussed in this Alert, please contact one of the attorneys listed above.