What is the GDPR?
GDPR stands for the General Data Protection Regulation. It is the new data privacy regulation for the European Union (EU). It took effect on May 25, 2018.
One of its primary goals is to give EU citizens more control over their personal data, including what’s collected, how long the data is kept, and how the data can be used.
What does it do?
- The GDPR includes regulations that cover:
- Expanding the scope of what constitutes “personal data”
- Requiring services to receive informed consent before collecting and processing personal data
- How companies should handle EU citizens’ personal data
- How and when companies need to notify users about a data breach
- Streamlining enforcement authority
- The “GDPR right to be forgotten,” which grants EU citizens the right to request the erasure of personal data
What is considered personal data?
Under the GDPR, personal data isn’t just a person’s real name, address, identification number, and birth date. Personal data under the GDPR includes any information that can be used to identify someone, including:
- Biographical information: names, dates of birth, Social Security or other identification numbers, phone numbers, and education history
- Electronic data: email addresses, IP address, location data, and online usernames
- Looks, appearance, and behavior: hair color, eye color, and weight
- Employment data: their workplace, salary, and tax information
- Health data: medical history, genetic information, and fingerprints
Whether information is considered “personal data” can vary based on the circumstances. For example, the United Kingdom Information Commissioner’s Office explains that a person’s name may not always be personal data, especially if the name is common. However, when that name is combined with additional information like a telephone number or workplace, it becomes easier to identify that person. It’s also possible to identify someone even if you don’t know their name—think of a neighbor you see often and can recognize but whose name you don’t know.
What are the penalties for violating the GDPR?
Based on the violation, penalties can range from written warnings to periodic data protection audits to fines. Right now, the steepest penalty is a fine of up to €20 million or up to 4% of your business’s annual global turnover (based on the previous financial year), whichever is greater.
Each EU member state can enforce the GDPR against businesses that collect their citizens’ personal data, and each state has a different approach to enforcement.
Does the GDPR apply to us?
Even if you operate a business in the United States, you still may be subject to the GDPR. Review and answer the following:
- Do you collect, store, or host data that comes from other companies?
- Does your business have a presence (virtual or physical) in Europe?
- Does your business plan include expanding to Europe?
- Do you collect data from users through a registration system, contact form, or email marketing?
- Do you use marketing or advertising platforms that capture data from EU users?
- Do you use a website or cloud-based system that’s based in Europe?
If you answered “yes”—or even “I’m not sure”—to any of these questions, it’s possible that the GDPR applies to your business. Stanton Law can advise you whether the GDPR applies to your business and, if so, help you develop a roadmap to get your business in compliance.
The Atlanta privacy and data protection lawyers at Stanton Law can help.
At Stanton Law, we’re focused on representing the long-term interests of businesses and business owners. We are an entrepreneurial law firm that provides top-quality legal services with a practical eye on our clients’ bottom lines. We’d appreciate the chance to earn your business and help you navigate both the GDPR and US-related data protection and privacy regulations. Please contact Jessica Winans for further information.