Privacy Law Update: General Data Protection Regulation (“GDPR”)

Privacy Law Update: General Data Protection Regulation (“GDPR”)
May 3, 2018 dmock2015

The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) becomes effective on May 25, 2018, and it will have far-reaching impacts on rights afforded to data subjects and impose new obligations on data controllers and processors. But before even addressing the new rights and obligations it creates, a company must carefully evaluate whether the GDPR is applicable to it in the first place. Certainly EU-based companies are subject to the GDPR’s requirements, but so are companies and agencies that process or collect personal information of EU data subjects or monitor EU data subjects with targeted advertising. It is important to remember that “personal information” is an expansive concept under the GDPR and that EU data subjects include individuals located in the EU. Ultimately, some U.S. companies (or non-EU companies for that matter) will be impacted because they offer goods or services in the EU or target EU data subjects. If a company provides services via the internet to customers in the EU , the company may trigger the GDPR even if based entirely in the U.S. In the context of a mobile application, one EU data subject’s download of the application may technically obligate compliance with the GDPR. In the context of a university, a branch campus located in the EU, exchange programs, research programs, study abroad programs, and internship programs should be evaluated to determine if the GDPR applies to it. As we move toward May 25, 2018, companies would be wise to (if they have not done so already):

  • Evaluate the company’s data flows and determine what data is collected, where it is collected from, where it is stored, and how it is used.
  • Review the GDPR requirements and determine (and document) whether any gaps exist between the GDPR and the company’s current practices.
  • Update the company’s Privacy Policy and privacy notices to comply with the GDPR, including a determination of the lawful basis for collecting and processing the data subjects’ personal information.

Also, as companies consider future expansion, perhaps into the EU market, the GDPR must be addressed if personal information is involved to avoid the risk of significant fines.


Legal Disclaimer:

This content of this blog is provided for informational purposes only and does not constitute legal advice. The transmission of information on this blog is not intended to establish, and receipt of such information does not establish or constitute, an attorney-client relationship. You should not act or rely on any information contained on this blog without first seeking the advice of an attorney.
This blog is not intended to be advertising, and Delfino Madden O’Malley Coyle & Koewler LLP does not desire to represent anyone desiring representation based upon viewing this blog or any articles contained on this blog in a jurisdiction where this email fails to comply with all laws and ethical rules of that jurisdiction.