If you have business interests in any country within the European Union (EU) you should evaluate whether and to what extent the EU’s newest privacy regulation — the General Data Protection Regulation (GDPR) — will affect your business. In this article, our second in a series of privacy compliance posts, we examine the general scope of the GDPR and how it may impact your business.
In May 2018, the GDPR goes into effect replacing the EU Data Protection Directive of 1995. Where the Data Protection Directive was applied inconsistently across EU member states, the GDPR intends to harmonize data privacy laws across EU member states. The GDPR is also a partial response to how technology and privacy interests have changed in the almost 25 years since the Data Protection Directive.
The GDPR will impact every business that directly or indirectly deals with EU consumers. The GDPR defines personal data broadly, and applies restrictions on both how that data can be collected and how it can be used. Personal data now includes just about any information about a natural, identifiable person. This can include a name, a personal identification number, location data, IP address, and physical, physiological, and demographic information.
The GDPR also applies to businesses outside the EU if they operate in the EU through third parties. The GDPR does this by bifurcating businesses as either controllers or processors of individual personal data. The controller is generally the business that is the end-user of the individual personal information. The processor, on the other hand, is the subcontractor, agent, or other third party that may be collecting and processing the data on behalf of the controller. Thus, regardless of whether the controller or processor is located in the EU, the GDPR may apply to any processing of personal information of EU subjects if the processing is related to offering goods and services in the EU.
The GDPR also requires various levels of consent — and conditions for the consent — before a business can collect and process personally identifiable data. In most circumstances, consent cannot be implicit nor a pre-checked box. Consent has to be an affirmative act. The regulation also identifies a wide range of information categories that cannot be collected at all except in certain limited circumstances.
In our next posts we will discuss some important exceptions to GDPR application. In the meantime, if you do business with the EU it is important to examine the extent to which the GDPR will be applicable to you.
Please contact us with questions.
Ryan J. Cooper, Esq., CIPP/US
600 Linden Place
Cranford, NJ 07016