The European Union’s General Data Protection Regulations (GDPR) take effect on May 25, 2018. GDPR applies to all organizations that collect and process data belonging to EU citizens. This also applies to the United Kingdom post Brexit. It does not matter where in the world the EU citizen may be, if your organization collets the data of an EU citizen, it must be protected. Organizations need to comply whether they have operations or employees in the EU and also if they have a website or app that collects and processes EU citizen data. Penalties for non-compliance are quite severe: If an organization is found to be non-compliant, the fine is the greater of 20 Million Euros or 4% of an enterprise’s worldwide revenue!

Data control and data security go hand in hand and form the basis of the GDPR regulations.

Data Control: To preserve a resident’s privacy, organizations must: (i) only process data for authorized purposes; (ii) ensure that the data is accurate; (iii) minimize the exposure of the individual’s identity; and (iv) implement data security measures.

Data Privacy: To preserve a resident’s privacy, organizations must implement: (i) safeguards to keep data for additional processing; (ii) data protection measures, by default; and (iii) security as a contractual requirement, based on risk assessment and encryption. In addition, a data subject has “the right to be forgotten.”

In other words, an organization cannot keep data indefinitely. GDPR requires organizations to completely erase data from all repositories when: (i) data subjects revoke their consent; (ii) a partner organization requests data deletion; or (iii) a service agreement comes to an end. There are legal exceptions when data cannot be erased, but those exceptions are limited.

As a preliminary matter, it is imperative for any organization to assess the risks to privacy and security and demonstrate that it is in compliance. Organizations are required to: (i) conduct a full risk assessment; (ii) implement measures to ensure and demonstrate compliance; (iii) proactively help third-party customers and partners to comply; and (iv) prove full data control. Further, when a data breach occurs, the compromised organization must: (i) notify the authorities within 72 hours; (ii) describe the consequences of the breach; and (iii) communicate the breach directly to all affected subjects.

The requirements of GDPR are not to be taken lightly. All organizations must now be in a position to address these requirements in order to conduct business with EU citizens. For more information on assistance with this regulation and any other cyber-security and data privacy issues for your organization, please contact Charles “Drew” Hayes at [email protected].

Wegman Hessler specializes in business law for business leaders, applying legal discipline to solve business problems to help business owners run smarter. For more than 50 years, this Cleveland business law firm provides full-service strategic legal counsel for closely held businesses. Learn more at www.wegmanlaw.com.