• About
  • Offices
  • Careers
  • Students
  • Alumni
Background Image
Logo Bennett Jones
  • People
  • Expertise
  • Resources
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All

FEATURED AREAS

Energy
Funds & Finance
Mining
Capital Projects
All Industries
Crisis & Risk Management
Environmental, Social & Governance
Governmental Affairs & Public Policy
All Practices
Insights
Media
Events
Subscribe
COVID-19 Resource Centre
Business Law Talks Podcast
Kickstart
New Energy Economy Series
People
Featured Areas
All Practices
All Industries
About
Offices
Careers
Insights
Events
Search
Search
 
Blog

New General Data Protection Regulations in European Union Has Cybersecurity Consequences

July 19, 2017

Written by Ruth E. Promislow, Michael R. Whitt and Archana Ravichandradeva

The European Union’s General Data Protection Regulation (GDPR) will come into force on May 25, 2018. This new regulation replaces the current data protection law (Directive 95/46/EC) substantially and will bring important changes to the nature of data protection and privacy as a whole in the region, intending to create a further modernized and harmonized data protection strategy. 

If you conduct, or are contemplating business in the European Union, this new regulation should be on your radar.

Is Your Organization Subject to the GDPR?

  • The GDPR applies if a data controller (organization that collects data from EU subjects) or processor (organization that processes data on behalf of data controller such as cloud service providers) or the data subject (person) is based in the EU.
  • The GDPR applies to organizations which have EU “establishments”, where personal data is processed “in the context of the activities” of such an establishment. This is a broad flexible test that encapsulates a wide range of business activity. An organization may be “established” where it exercises “any real and effective activity—even a minimal one” in the EU. Even having one representative in the EU, or having a sales office to promote and market goods and services to EU residents may be enough to engage the GDPR.
  • Even non-established organizations have to consider and prepare for the GDPR if they engage in processing the personal data of EU subjects, especially if this data will be used to monitor the subject's behaviour in the EU or generate profiles of users’ "preferences, behaviours and attitudes".
  • The regulation also applies when goods or services are intentionally offered to data subjects in the EU—specifically marketing those goods and services to EU citizens, using currency generally used in one or more EU states, or allowing customers to purchase goods in a language generally used in one or more EU states.

What Are Some Consequences?

  • Businesses subject to the GDPR will be obligated to meet certain standards of data protection and management. Some contraventions will be subject to administrative fines of up to €10,000,000 or 2 percent of global annual turnover of the preceding year, whichever is higher.
  • Other contraventions attract fines of up to the greater of €20,000,000 or 4 percent of global turnover of the preceding year. These fees are to be meted out on a case-by-case basis.

If you would like to learn more about the potential impact of the GDPR on your business, members of our Bennett Jones Cybersecurity team can assist, and where required can direct you to experienced European counsel.

Authors

  • Ruth E. Promislow Ruth E. Promislow, Partner
  • Michael R. Whitt Q.C. Michael R. Whitt Q.C., Partner, Patent Agent, Trademark Agent

Read the New Energy Economy Series

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Another Reminder of the Low Bar for Class Action Certification [...]

March 01, 2021
       

Blog

Are Gun Manufacturers Liable for Mass Shootings?

March 01, 2021
       

Blog

Evidence of Harm Required To Advance Class Action Following Data Breach

February 24, 2021
       

Blog

Site Rehabilitation Program Periods 5 and 6 Further Expand Program Scope

February 22, 2021
       

Blog

Supreme Court of Canada Declines to Hear the Cameco [...]

February 18, 2021
       

The firm that businesses trust with their most complex legal matters.

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2021. All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Logo Bennett Jones