New Data Protection Law Going Into Effect On May 25, 2018 – Is Your Organization Ready?

Sunday April 1, 2018 Published in Corporate and Business
Flag USA and Europe isolated on sky background

The European Union’s General Data Protection Regulations (GDPR) take effect on May 25, 2018. GDPR applies to all organizations that collect and process data belonging to EU citizens. This also applies to the United Kingdom post Brexit. It does not matter where in the world the EU citizen may be, if your organization collets the data of an EU citizen, it must be protected. Organizations need to comply whether they have operations or employees in the EU and also if they have a website or app that collects and processes EU citizen data. Penalties for non-compliance are quite severe: If an organization is found to be non-compliant, the fine is the greater of 20 Million Euros or 4% of an enterprise’s worldwide revenue!

Data control and data security go hand in hand and form the basis of the GDPR regulations.

Data Control: To preserve a resident’s privacy, organizations must: (i) only process data for authorized purposes; (ii) ensure that the data is accurate; (iii) minimize the exposure of the individual’s identity; and (iv) implement data security measures.

Data Privacy: To preserve a resident’s privacy, organizations must implement: (i) safeguards to keep data for additional processing; (ii) data protection measures, by default; and (iii) security as a contractual requirement, based on risk assessment and encryption. In addition, a data subject has “the right to be forgotten.”

In other words, an organization cannot keep data indefinitely. GDPR requires organizations to completely erase data from all repositories when: (i) data subjects revoke their consent; (ii) a partner organization requests data deletion; or (iii) a service agreement comes to an end. There are legal exceptions when data cannot be erased, but those exceptions are limited.

As a preliminary matter, it is imperative for any organization to assess the risks to privacy and security and demonstrate that it is in compliance. Organizations are required to: (i) conduct a full risk assessment; (ii) implement measures to ensure and demonstrate compliance; (iii) proactively help third-party customers and partners to comply; and (iv) prove full data control. Further, when a data breach occurs, the compromised organization must: (i) notify the authorities within 72 hours; (ii) describe the consequences of the breach; and (iii) communicate the breach directly to all affected subjects.

The requirements of GDPR are not to be taken lightly. All organizations must now be in a position to address these requirements in order to conduct business with EU citizens. For more information on assistance with this regulation and any other cyber-security and data privacy issues for your organization, please contact Charles “Drew” Hayes at

Wegman Hessler specializes in business law for business leaders, applying legal discipline to solve business problems to help business owners run smarter. For more than 50 years, this Cleveland business law firm provides full-service strategic legal counsel for closely held businesses. Learn more at

Related Stories

The FTC Non-Compete Ban: Ways to Protect Your Business Interests

As a business leader, you’ve likely relied on non-compete agreements to safeguard your company’s confidential information, protect your investments in employee training, and maintain a competitive edge. However, with the…

Read More
FTC non compete ban

The FTC’s Non-Compete Ban: Navigating the New Reality for Business Owners

The business landscape is set to undergo a significant shift in early September with the Federal Trade Commission’s (FTC) recent comprehensive ban on new non compete agreements between employers and…

Read More
A business law attorney, David Knowles celebrates 50 years specializing in HR law with Wegman Hessler business law firm in Ohio.

Celebrating 50 years in the practice of HR law, David R. Knowles of Cleveland’s Wegman Hessler Valore still embraces the constant of change

As he drives to Wegman Hessler Valore’s Cleveland area headquarters, David R. Knowles reflects on a city that has undergone enormous transformation during his tenure there. The factories that once…

Read More