GDPR is now in effect

Michael Bahar, Mary Jane Wilson-Bilik
Eversheds Sutherland (US) LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Eversheds Sutherland (US) LLP

The General Data Protection Regulation (GDPR) took effect after two years of anticipation and preparation by many, but far from all, affected companies across the world. The GDPR is a new data protection and privacy law that applies not only to companies with a presence in the European Union (EU), but also to companies that offer goods or services into the EU or monitor or collect information about people in the EU. It also indirectly—but no less meaningfully—affects many companies that do business with those companies subject to the GDPR.

The GDPR is unlike any privacy law in the US. Unlike sector-specific privacy laws in the US, which may cover only certain companies like financial institutions or health care providers, or only certain kinds of sensitive personal information, the GDPR applies to all companies within its jurisdictional reach and to a far broader array of personal information than mere personally identifiable information.

Even though the GDPR is now in effect, US-based companies are still trying to determine whether the GDPR applies to them, and what their obligations are if it does. Pressing questions many US-based companies are asking include:

  • What steps should we take with respect to our US customers that have moved to the EU?
  • Do we need to make any changes to our website to comply with GDPR?
  • For our EU customers, do we have to provide a new disclosure document? Do we have to obtain a new consent to continue using their personal information?
  • What kind of updates to our contracts with EU vendors are necessary?

Getting the answers to those questions right is important—penalties for failure to comply with the GDPR can range up to the higher of €20 million or 4% of a company’s annual global revenue, and private litigation is possible.

The rights of individuals under the GDPR—and the corresponding duties of companies that process information about those individuals—shows how comprehensive this new regulation is. This summary omits many of the detailed compliance requirements imposed by the GDPR. Therefore, companies should be actively considering their approach to GDPR compliance now, and carefully monitoring how EU data protection authorities are enforcing the new requirements.

What does the GDPR require?

In general, companies subject to the GDPR must:

  • Be transparent with individuals about how and why the company collects, processes, or shares those individuals’ personal information. This includes certain notice requirements.
  • Have a lawful basis for all processing of personal data. Consent is only one lawful basis, and companies may have other lawful bases available to rely upon.
  • Limit their processing of personal data to those legitimate purposes for which the company collected the data. With some exceptions, companies cannot process data they already possess for reasons unrelated to its original, lawful collection.
  • Minimize the amount of data they collect and process to the amount necessary to meet the lawful purposes for which they collected the data.
  • Ensure the accuracy of personal information they collect and maintain.
  • Delete personal information when it is no longer necessary to carry out the lawful purpose for which it was collected, or when it does not otherwise need to be retained.
  • Maintain the security, integrity, and confidentiality of personal data. This includes data breach notification requirements.
  • Maintain records of their data processing activities.
  • Ensure by contract that third parties to whom the company transfers personal information will adequately protect the information and use it only for specified lawful purposes.

Individuals protected by the GDPR have the following rights with respect to their personal data being processed by companies subject to the GDPR. Companies must be prepared to respond to individuals seeking to exercise these rights, such as:

  • Accessing personal data about them being processed by the company;
  • Correcting any inaccuracies in such data;
  • Having the company delete such information (“right to be forgotten”);
  • Limiting the ways in which the company processes such data;
  • Transferring the personal data held by the company to another entity (portability);
  • Objecting to how the company is processing the individual’s personal information; and
  • Refraining from being the subject of automated decision-making processes, including profiling.

Although the GDPR is now in effect, companies should continue to focus on compliance if they have not yet implemented processes designed to comply with the GDPR. Many companies are taking a tiered or risk-based approach to prioritize compliance tasks, build out their processes over time, and monitor how the broad, principles-based requirements of the GDPR are developed and enforced.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP
Eversheds Sutherland (US) LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Eversheds Sutherland (US) LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide