GDPR D-Day: If Not Prepared, It Could Cost You Europe

by Ifrah PLLC

Ifrah PLLC

GDPR D-Day: May 25, 2018. If you are not prepared, the results could cost you Europe.

In the U.S., we’ve had a pretty business-friendly approach to consumer data protection. And while federal and state authorities have their respective consumer protection laws, there is no single federal law that clearly defines U.S. policy on how consumer data may be collected and used. Businesses have come to view customer data as a potential gold mine, and the ease and cost-effectiveness of data collection as a gold rush.

Things are different across the pond. Historically, the E.U. and its member states have been diligent in protecting the consumer and consumer data. It started in 1995 with the E.U. Data Protection Directive. U.S. businesses have had to be mindful of the Directive, insofar as their business involved E.U. citizen data, but have been able to operate under a freer regimen than that imposed in Europe. The Directive’s successor, the General Data Protection Regulation (“GDPR”), changes things up substantially however, even on this side of the Atlantic.

The GDPR is both comprehensive and extensive, covering businesses both in and outside of Europe. If you have an E.U.-based establishment, if you offer goods or services to people in the E.U., or if your business involves monitoring individual behavior within the E.U., you likely will be required to adhere to the regulation. Given the significant compliance requirements and the hefty penalties for non-compliance, we suggest you gear up and prepare sooner rather than later.

What Lies Beneath. To best prepare for the GDPR, we recommend you become familiar with the underlying rationale. The regulation begins with the principle that “[t]he protection of natural persons in relation to the processing of personal data is a fundamental right.” The drafters of the regulation approached data privacy with an eye toward (1) empowering and informing individuals as much as practicable and (2) limiting businesses’ individual data usage to what is necessary.

Strategic Thinking. Some general concepts that businesses should adopt, as they develop their approach to GDPR compliance:

  • Mine/Not Mine:

Personal data is “their” information, not “yours.” To operate your business within the framework of the GDPR, you may need to change the way you view, and the way you value, personal data. It is not a gold rush for data mining (and capitalizing on that data). The GDPR puts the rights to data and how it is used in the hands of the individual “data subject”[1]: personal data should be viewed as the property of the individual. Businesses need to respect individual’s data ownership rights.

  • Serve Your Subjects:

Since “data subjects” are primary stakeholders in their data and how it is used, you will need to ensure you obtain individuals’ explicit and affirmative consent. You will also need to keep individuals up to date on any developments in how their data is used and (potentially) how their data may have been compromised. Bundled consents and blanket notices need to be a thing of the past. The GDPR requires consent be clear, affirmative, and freely given. You need separate consents for different data usage elements. Notice must be given in a clear, concise, transparent, and easily accessible way: you must notify data subjects of the what’s, why’s, and when’s their data is used as well as their rights to and over the data.  Data subjects’ rights are numerous and include the right to access, port, correct, erase, or restrict data.

There are some enumerated exceptions in which you can process data without needing to get the consent of the data subject. You should further assess these exceptions if you think you qualify. They include: (1) data processing where the processing is necessary to contract performance, (2) processing to comply with a legal obligation, or (3) processing necessary for enumerated legitimate interests (e.g., for internal admin purposes or to prevent fraud). But even if you don’t have to get an individual’s consent, you are still required to provide them notice on how their data is processed.

  • One Size Does NOT Fit All:

Instead of striving to capture and hold onto as much data as possible, you should tailor your data usage to what is necessary; and you should only retain that data for so long as necessary. The GDPR requires there be an established and documented legal rationale for your data usage, including a legal basis for any follow-on data processing that may transpire. It is also important to develop data protection by design measures that ensure privacy is a part of any new processing or product deployed. You should incorporate measures like pseudonymisation of data where practicable and retention policies tailored to meet business and legal requirements. As you develop data processing measures, those measures should incorporate ways to facilitate data subjects’ rights to access, port and erase their data.

  • Paper Trails Are Happy Trails:

The GDPR regularly cites the importance of demonstrating compliance measures – so you should factor ways to demonstrate compliance throughout the lifespan of your data usage. For instance, you should be able to demonstrate with sufficient documentation (1) that you have individuals’ specific and informed consent, (2) that you have provided notice of individuals’ rights, (3) that data transfers (to countries outside the E.U.) are permissible under the regulation, and (4) that you have employed privacy by design measures.

Battle command on the move (BCOTM) It is important to keep in mind that the GDPR is an expansive and tedious undertaking that will have issues in implementation and enforcement. Just as with a new product rollout, when the GDPR takes effect, inevitably there will be stops and starts and unforeseen complications; there will be both legal and logistical challenges. You will want to keep up to date on the latest developments (we’ll be on it). But if you think strategically, and develop an approach to data processing that focuses on the rights of the individual, you can brave the regulatory onslaught. And developing data processing tools that adhere to GDPR principles could give you a competitive advantage down the road.

[1] The GDPR uses the term “data subject” but that’s a bit of a misnomer, as the regulation treats the individual whose data is at issue as the owner.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ifrah PLLC | Attorney Advertising

Written by:

Ifrah PLLC

Ifrah PLLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.