Countdown to the EU General Data Protection Regulation: Are You Ready?

Clark Hill PLC

With less than one year until the May 25, 2018 deadline for compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), affected companies should already be preparing. The GDPR was passed into EU law in 2016 to increase data privacy protections for EU residents and provides a uniform, consolidated framework for business usage of personal data across the EU. The GDPR replaces the existing data protection framework under the earlier EU Data Protection Directive. Of critical note for most readers of this alert, the GDPR applies not only to companies within the EU, but also those companies located outside the EU that offer goods or services to, or monitor the behavior of, EU data subjects, i.e., persons physically residing in the EU (even if they are not EU citizens). Thus, the GDPR applies to all companies processing and holding personal data of EU residents regardless of the company's location. 

The GDPR contains 91 articles, many of which will require action by affected companies to ensure compliance. The articles that will likely have the most impact include:

  • Articles 12/14. Mandate clear notice to data subjects of the purpose for which data is being collected and restrict use of data solely to the manner indicated to data subjects;
  • Articles 15/21. Give data subjects more control over personal data that is processed automatically through the right to portability and right to erasure (right to be forgotten);
  • Articles 23/30. Require companies to implement reasonable data protection measures to protect personal data of data subjects and privacy against loss/exposure;
  • Article 28. Provides a list of requirements (some previously contained in the EU Data Protection Directive and some new) to include in contracts with vendors and other third parties that process personal data of EU data subjects;
  • Articles 33/34. Data breach notification to supervisory authority within 72 hours of learning of a breach with details and approximate number of affected subjects and notification to the data subject in certain cases;
  • Article 37. Requires companies whose "core activities" involve large-scale processing of "special categories" of data1 to appoint a data protection officer;
  • Articles 38/39. Outline the role of the data protection officer and his or her responsibilities in ensuring GDPR compliance and reporting requirements;
  • Articles 44/46. Extend data protection requirements of the GDPR to international companies that collect or process the personal data of EU residents; and
  • Article 83. Imposes fines up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher) for violations.

Companies (of any size) affected by the GDPR must not only be aware of the GDPR requirements, but be prepared to comply by May 25, 2018. Compliance is not something that can be accomplished overnight, but instead requires companies to: (a) develop an in-depth knowledge and understanding of the GDPR; and (b) implement a framework of policies/procedures/agreements that adhere to the GDPR's strict and far-reaching tenets. If you have not already, now is the time to consider whether your company must comply with the GDPR before it is too late.

1 This data includes information that reveals a data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sex life, or sexual orientation.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.