Written by Ruth E. Promislow, Michael R. Whitt and Archana Ravichandradeva

The European Union’s General Data Protection Regulation (GDPR) will come into force on May 25, 2018. This new regulation replaces the current data protection law (Directive 95/46/EC) substantially and will bring important changes to the nature of data protection and privacy as a whole in the region, intending to create a further modernized and harmonized data protection strategy. 

If you conduct, or are contemplating business in the European Union, this new regulation should be on your radar.

Is Your Organization Subject to the GDPR?

• The GDPR applies if a data controller (organization that collects data from EU subjects) or processor (organization that processes data on behalf of data controller such as cloud service providers) or the data subject (person) is based in the EU.
• The GDPR applies to organizations which have EU “establishments”, where personal data is processed “in the context of the activities” of such an establishment. This is a broad flexible test that encapsulates a wide range of business activity. An organization may be “established” where it exercises “any real and effective activity—even a minimal one” in the EU. Even having one representative in the EU, or having a sales office to promote and market goods and services to EU residents may be enough to engage the GDPR.
• Even non-established organizations have to consider and prepare for the GDPR if they engage in processing the personal data of EU subjects, especially if this data will be used to monitor the subject's behaviour in the EU or generate profiles of users’ "preferences, behaviours and attitudes".
• The regulation also applies when goods or services are intentionally offered to data subjects in the EU—specifically marketing those goods and services to EU citizens, using currency generally used in one or more EU states, or allowing customers to purchase goods in a language generally used in one or more EU states.

What Are Some Consequences?

• Businesses subject to the GDPR will be obligated to meet certain standards of data protection and management. Some contraventions will be subject to administrative fines of up to €10,000,000 or 2 percent of global annual turnover of the preceding year, whichever is higher.
• Other contraventions attract fines of up to the greater of €20,000,000 or 4 percent of global turnover of the preceding year. These fees are to be meted out on a case-by-case basis.

If you would like to learn more about the potential impact of the GDPR on your business, members of our Bennett Jones Cybersecurity team can assist, and where required can direct you to experienced European counsel.