In May 2018, the EU General Data Protection Regulation (GDPR) came into effect. GDPR is a comprehensive data privacy regime designed to standardize data protection law across the EU. Importantly, GDPR reaches beyond the EU’s borders, and in certain circumstances can apply to entities operating outside the EU that process the data of EU data subjects.1
GDPR imposes numerous restrictions and obligations on the collection, use, and transfer of personal data, including:
- Transparency. GDPR includes a number of specific requirements for privacy notices and disclosures. Notices must be clear, concise, and easily understood.2
- Lawfulness of Processing. Entities must identify the lawful basis for processing personal data. Where consent is relied upon as the lawful basis, it must be “freely given, specific, informed, and unambiguous.”3
- Data Subject Requests. Data subjects have the right to access, rectify, and erase data held about them by organizations.4
- Transfers. Among other requirements, data controllers must ensure that any transfers of personal data to third parties, particularly those third parties that process personal data on their behalf (i.e., processors), conform to GDPR’s strict obligations.5
- Security Standards. Controllers and processors must implement security measures appropriate to the risk, considering the state of the art, cost, and nature of the data being processed.6
- Breach Notification. GDPR has a broad definition of what kinds of incidents trigger notification and allows only 72 hours to make appropriate notifications.7
- Recordkeeping. Most entities must keep written documentation of processing activities.8
- Cross-Border Data Transfers. GDPR only permits controllers or processors to send data outside the EU if the destination country has a privacy regime that the EC has determined provides “adequate” protection for personal data, or if the parties are using mechanisms that the EC has determined provide “adequate” protection, such as a Privacy Shield for EU-US data transfers, model clauses, and binding corporate rules.9
- Data Protection Officer. Entities whose core activities relate to data monitoring or that process sensitive categories of information on a large scale should designate a Data Protection Officer to monitor compliance.10
Compliance with GDPR is a must for companies that operate in the EU, handle EU personal data, or target their goods or services to the EU. While compliance with GDPR can be costly, noncompliance can be even more so: sanctions for violations of GDPR can reach four percent of worldwide revenue or €20 million (whichever is higher).11
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
2 Id., art. 12.
3 Id., art. 6.
4 Id., arts. 15-21.
5 Id., art. 29.
6 Id., art. 32.
7 Id., art. 34.
8 Id., art. 30.
9 Id., arts. 44-50.
10 Id., arts. 37-39.
11 Id., art. 84.