The EU General Data Protection Regulation becomes effective in May 2018.
It applies to those that (i) offer products/services to EU residents; (ii) monitor the behavior of EU residents; or (iii) handle the personal data of an EU residents.
The cornerstone of GDPR is that personal data must be processed lawfully, fairly and in a transparent fashion.
Data collection protocols must be adequate disclosed. It imposes an opt-in regime. Consumers must also be permitted to access, change and request the deletion of their data.
Personal data collected should be for legitimate purposes and limited to what is necessary. Consistent with Federal Trade Commission guidance, data should not be kept for any longer than is necessary for such purposes.
Reasonable measures that ensure the security of personal data must be implemented, including safeguarding against unauthorized use, exploitation, destruction or damage. Personal data should be anonymized if possible, otherwise encryption or other technical controls must be employed to protect the data.
From an accountability standpoint, data processors must be able to demonstrate compliance with the GDPR. Those that systematically collect/process personal data are required to appoint a data protection officer. Data breaches must be reported within 72-hours.
The penalties for violations of the GDPR are substantial and can yield fines of up to $23M USD, or 4% of total worldwide revenue of the preceding year – whichever is higher – for breaches of lawfulness, transparency, accuracy and purpose limitation, data minimization and storage limitations. Fines are “less” severe for breaches relating to data integrity, confidentiality and accountability.
If you are interested in learning more about the implementation of compliant privacy and data security protocols, you can contact the author via email at rnewman@hinchnewman.com.
You can also follow the author on LinkedIn at FTC Defense Lawyer.
ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005 | (212) 756-8777.