Just last month, the General Data Protection Regulation (“GDPR”) came into existence. GDPR is the legal framework establishing the guidelines for collection and processing of personal data of individuals in the European Union (“EU”) and the rights of the individuals with regard to such data. The GDPR requires businesses to be much more explicit about the information they maintain on people and to provide them with more control over that information. While European businesses may have been planning for the GDPR for some time, many U.S. companies are unprepared with no plans in place to comply. However, the long arm of the GDPR might apply to them.

Even if a business has no direct EU operations, it may still be required to comply with the GDPR if it, or its customers acting on its behalf, process information on people in the EU. This means that for many U.S. businesses, such as hotels and restaurants, the rules affect how they operate in other countries, because their users are globally connected. Consumers will be able to ask for the information that businesses maintain on them, and businesses will be required to provide such information in short order at no charge to the consumer. Consumers will also have the right to erasure of personal data (the “right to be forgotten”) when certain grounds apply, and the right to ask that their data be restricted.

What does this mean for you?

For businesses that have not begun compliance efforts, there is much to consider, including:

  • adopting a GDPR compliance policy;
  • creating a proper consent to use the data;
  • identifying someone to advise them regarding compliance (is there a need in the organization for a data protection officer);
  • determining whether/how to reach out to obtain re-consents;
  • reviewing data management procedures;
  • finding out where the information is located; and
  • developing procedures in the event of a security breach.

While fines for violations are severe and becoming compliant takes time, businesses must start somewhere. They would be well-served to put plans in place to demonstrate their efforts at working towards compliance.

For a printable PDF of this article, click here.

View All Publications