By Jennifer M. Hart and Kyle A. Hutnick GDPR
Geared up for GDPR?
With a matter of days until the European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018, U.S. companies are scrambling to make sure they’re in compliance. Many are still unclear about whether the GDPR applies to them. The GDPR is a sweeping update to privacy laws in the EU and is much broader than most data privacy laws in the U.S. It adds previously unregulated data types, like location and IP address, to the list of protected information like name and credit card details.
Does the GDPR Apply to Your Business?
Companies that operate in the EU or advertise directly to EU residents must comply with the GDPR. But what about companies who have no physical presence in the EU? The answer is “yes” if you control or process personal data about a person located in the EU when making sales or if you monitor their online behavior. For example, a U.S. business that sells products on its website must comply with the GDPR if it uses cookies to track behavior of site visitors living in the EU. However, the GDPR does not necessarily apply simply because a U.S. business sells goods online to customers in the EU. The U.S. business must have intended to reach customers in the EU by:
- offering goods or services in an EU language or currency;
- allowing EU data subjects to place orders in the local language; or
- marketing their goods or services to EU customers.
While any U.S. company with an online store could be affected, other types of companies that could be impacted include hospitality, travel and software companies.
How to Become GDPR-Compliant
Here are a few key points to think about while making your business GDPR-compliant:
- Make consent clear. Individuals must have the opportunity to give specific, informed and unambiguous consent to the processing of their personal data. Simply including a link to a privacy policy or having a pre-checked box on your terms and conditions is not enough to comply with the GDPR.
- Be transparent in data practices. The GDPR requires that individuals be made aware that their personal data is being processed. Companies must clearly and plainly state who will process data, how they will handle it and why they are using it.
- Be diligent with deletions. Under the GDPR, people have the “right to be forgotten,” or the right to ask companies to delete all stored information. Once requested, the information must be deleted “without undue delay.”
Understanding the Consequences
Determining whether your business must comply with the GDPR requires careful analysis and has steep financial consequences if done incorrectly. If you think you can afford to ignore the GDPR, think again. There are big fines for non-compliance: 20 million Euro, or 4% of annual profits, whichever is greater. However, there are still questions about how the GDPR will be enforced in the U.S., and enforcement will depend on a company’s presence in the EU. For companies with little market presence in the EU, it’s still unclear whether the Federal Trade Commission (which currently serves as the data protection watchdog in the U.S.) will enforce the GDPR, and if so, to what extent.
KJK can help businesses determine whether they need to comply with the GDPR, and where necessary, craft an approach tailored to your business. To discuss whether the GDPR applies to your company or strategies to make your business GDPR compliant, please contact Jennifer M. Hart at 216.736.7208 or jmh@kjk.com or Kyle A. Hutnick at 216.736.7243 or kah@kjk.com.