General Data Protection Regulation (GDPR)

On May 25th 2018, the EU's General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, will enter into force. The intention of this EU regulation, adopted by the EU Parliament in April 2016 with a transition time of 2 years, is to harmonize data protection regulations across the entire European Union, strengthen individual privacy rights und provide powerful enforcement and sanction measures against misuse of personal data.

Which companies will be subject to the GDPR?

GDPR will also apply to companies located outside of the EU if they offer goods or services to the EU and do process and/or hold the personal data of individuals residing in the European Union, regardless of the company’s location.

What is “personal data” under the GDPR?

“Personal data” can be any information related to a natural person that can be used to directly or indirectly identify the person. “Personal data” under the GDPR can be anything from a name, a photo, an email address, bank details, posts on social media, medical information, or even a computer IP address.

How to comply with the GDPR?

As first step, a company must carefully evaluate what kind of personal data they may collect at any time within their business operations and how this data is processed within the company. Document the personal data that you hold, where it came from, and who you share it with. Depending on this assessment, some of the following measures may be necessary for compliances with the GDPR:

  • review of your organization’s Privacy Policy and modify it for compliance with GDPR
  • review your consent policy and, if necessary, re-collect consent for data processing
  • appoint a responsible person or Data Protection Officer (DPO within the company
  • provide individuals (so called data subjects) the possibility to access, correct and deletion of personal data
  • apply appropriate level of security (in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure and access to personal data)
  • in case of data breach, notify the relevant supervisory authority of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it."

The above listed measures are only examples and are neither conclusive nor do they apply to every company in the same way.

What penalties does a company risk under the GDPR?

In case of first-offenses or non-intentional noncompliance, the GDPR provides low level sanctions as a written warning or data protection audits. For repeated offenses or misuse on international level, fines up to 20 million euros or four percent of a company’s annual worldwide turnover, whichever is higher, are possible.