EU General Data Protection Regulation takes effect May 25, 2018
If you are a U.S. business providing goods or services to individuals and businesses in the EU, it is time to undergo a thorough review of your data processing procedures.
The goal of The EU General Data Protection Regulation (“GDPR”) is to allow individuals to have greater control on how their personal information is processed by organizations. And although GDPR is an EU regulation, many U.S. businesses are discovering that they may have certain obligations under the regulation.
Below are questions you should be asking.
What is GDPR?
GDPR is a data protection and privacy regulation in EU law pertaining to processing an individual’s personal data.
What is personal data?
- Any information related to an identifiable natural person who can be directly or indirectly identified in particular, by reference to an “identifier” (such as a name, an identification number, location data, or an online identifier).
my business is in the U.S., do I have to comply?
- GDPR applies to organizations that are established in the EU. However, it also applies to organizations outside the EU, and U.S. businesses that (1) offer goods and services to individuals in the EU and/or (2) monitor the behavior of individuals who reside in the EU.
If my business is B2B, do I still need to comply?
- GDPR can definitely apply in B2B relationships. Although GDPR regulates the processing of individual personal data, that does not limit its application to businesses that deal only with individuals (i.e., consumers). In a B2B relationship, a vendor may collect personal data from individuals working for its business customers or that are customers of the business customer, which may subject it to GDPR.
What is the first step to GDPR compliance?
- Determine if your organization is subject to GDPR by performing a thorough review of the personal data your organization collects, determine how it is used, and decide if you have a lawful basis to use it under GDPR. Generally, a lawful basis for GDPR purposes can be based on express consent, performance of a contract, compliance with the law or legitimate interests.
What other steps may be necessary for GDPR compliance?
- If your organization is a “controller” of personal data (i.e., you determine the purposes and means of processing the personal data), you must address your organization’s own compliance requirements, as well as those processing personal data on your organization’s behalf.
- For those that are processing data on your organization’s behalf (for instance, a vendor that hosts the data), you will be required to put in place a written agreement which identifies the specific personal data to be processed by your vendor, the type of processing performed on the personal data, and security and technical safeguards.
If you have any questions or concerns regarding GDPR and your organizations compliance efforts, please do not hesitate to contact me. Global confusion still surrounds GDPR compliance and we are here to assist. I may be reached via phone at 404.961.7641 or via email at firstname.lastname@example.org