Everyone has been to a lot of presentations, read articles and evaluated the General Data Privacy Regulation (“GDPR”) – yet many questions remain.
Many companies continue to struggle with determining whether (1) the GDPR applies to them and, if so, (2) what can be done before the May 25th compliance deadline.
It is not too late to have these questions answered when working with experienced counsel who can navigate the issues at hand. For instance, possession of any European Union (“EU”) resident’s data does not necessary trigger the GDPR. Indeed, making the legal determination regarding the applicability of the GDPR can be completed largely over the phone by discussing key issues and conducting a targeted follow-up investigation. If the GDPR applies, then there are a number of high-impact but manageable tasks that can be accomplished by May 25th. Of course, waiting longer to evaluate these issues only puts businesses at greater risk for the hefty (up to 20 million Euro or 4 percent of annual global revenue, whichever is greater) non-compliance penalties that may be applicable.
To determine whether the GDPR applies, begin by considering the following non-exclusive factors concerning your business:
- Does your business have an office, affiliate or employees located in the EU or the European Economic Area (“EEA”)?
- Does your business collect, control or use data (including name, email, IP address or online activity) of anyone in the EU or the EEA?
- Is your business marketing, soliciting or conducting business with anyone in the EU or EEA?
To assess your GDPR readiness, consider whether:
- You can find an individual’s information in your business records and readily delete that data or make it portable for transfer to another entity;
- Your business has policies in place concerning holding, removing and transferring data;
- Your business has agreements in place with third-party vendors who may help you collect, process, store or delete data.
If you receive a “Data Processing Agreement” from a vendor, client or other third party, have experienced counsel analyze those documents to help you take steps towards confirming compliance with the GDPR and other regulatory requirements, and advise you regarding the agreements’ impact on your organization and any necessary modifications.
We have extensive experience in advising a wide range of clients – from startups to large organizations – regarding these issues and can efficiently position you to be in compliance with the GDPR and other regulations. We would be happy to help you.