Site iconSite icon HospitalityLawyer.com®

What American Companies Need to Know about the EU’s New General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a new data privacy and security law in Europe that will go into force on May 25, 2018. Every organization that does business with EU customers, regardless of the home base of the organization, and regardless of the size of the organization, must come into compliance or risks significant financial penalties and legal exposure. The new law permits fines of the greater of €20 million or four percent of an organization’s worldwide annual revenue for the previous fiscal year.

The primary purpose of the GDPR is to provide EU citizens with greater control over how their personal data is collected, protected and used. There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.

The definition of personal data under the GDPR is extremely broad and includes any information relating to an identified or identifiable natural person (e.g., addresses, telephone numbers, email addresses, bank information, credit card details, photos, posts on social media websites, medical information, and even an IP address). There is also a separate definition for “sensitive personal data” (e.g., racial or ethnic origins, political opinions, physical or mental health and criminal history) which is entitled to even greater protection.

Companies which are in compliance with the existing Data Protection Act (DPA) certainly have a head start as not everything has changed, but most companies will have to implement additional privacy protections and adopt comprehensive data protection strategies to comply with the more expansive provisions of the GDPR. The following are steps which companies should consider taking now to prepare for implementation of the GDPR.

With the enforcement date of the GDPR only seven months away, organizations should start assessing their policies and procedures so that they are not caught short when the law goes into effect. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.


Did you like this article? Check out these related posts:

Exit mobile version