The General Data Protection Regulation (“GDPR”) is a sweeping piece of legislation that expands and largely unifies patchwork privacy regulations across the European Union. Its purpose is to offer comprehensive protections for the individual privacy rights of individuals in the European Union, but the requirements will affect organizations worldwide.
The GDPR regulates all “personal data,” which is broadly defined as “any information relating to an identified or identifiable natural person.” The regulation encompasses organizations with a European Union presence as well as non-European Union organizations offering goods and services to individuals in the European Union (e.g. through a website) or monitoring the behavior of individuals in the European Union (e.g. through website cookies). Additionally, the GDPR applies not only to controllers (entities that determine why and how personal data is processed), but also to processors (entities who process personal data at the direction of controllers).
The regulation takes effect on May 25, 2018. Starting that day, organizations that do not comply with GDPR requirements will immediately be exposed to penalties of up to €20,000,000 or 4% of their worldwide annual global turnover—whichever is greater.
To prepare for GDPR compliance, organizations may need to develop or amend their:
- Consent mechanisms for the collection and processing of personal data;
- Privacy notices;
- Data maps;
- Privacy impact assessments;
- Data security measures;
- Vendor and customer contracts;
- Documented bases for transferring personal data across international borders;
- Ability to support individual rights requests including the rights to:
- Object to processing;
- Record retention policy;
- Data breach incident response plan; and
- Privacy and cybersecurity training.
Additionally, certain organizations will be required to retain one or more data protection officers to oversee and monitor compliance with the GDPR.
The complete text of the GDPR is available here.
Given the extensive scope of GDPR mandates and the magnitude of potential penalties for non-compliance, now is a good time to evaluate your organization’s readiness for GDPR and begin the process of filling in any gaps. Maynard Cooper’s Cybersecurity & Privacy team can help navigate this process by:
- conducting GDPR-applicability assessments and GDPR-readiness evaluations;
- reviewing, drafting, or revising contracts, notices, and policies to ensure external-facing information satisfies GDPR requirements; and
- developing, updating, or implementing GDPR-compliant privacy and information security programs, procedures, and training within your organization.
We welcome your questions about the GDPR or any other global privacy and cybersecurity requirements. For more information visit the Cybersecurity & Privacy Practice page or contact J.T. Malatesta, Starr Drum, or Jon Levin.
This Client Alert is for information purposes only and should not be construed as legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information or an explanation about the matters discussed in this Alert, please contact one of the attorneys listed above.