By UpCounsel Corporate Attorney Ira Bornstein

Are you familiar with the EU General Data Protection Regulation (GDPR) that goes into effect on May 25, 2018? If not, you should be.

The EU treats privacy very differently than the U.S. does. The EU considers privacy to be a fundamental human right, which then dictates how citizen data is treated. The U.S., however, does not treat privacy as a fundamental human right, and its laws reflect that fact. The GDPR is intended to provide EU citizens with greater control over how their personal data is collected, protected and used.

Definition of Personal Data

The EU’s definition of Personal Data (used in place of “personally identifiable information” or PII, commonly utilized in the U.S.) is much broader than that of the U.S. Personal Data means any information (including, but not limited to, names, addresses, telephone numbers, email addresses, location data, photos, financial information, credit card information, medical information, posts on social media websites and IP addresses) that relates to an identified or identifiable natural person (who is referred to as a data subject). Such a person is one who can be identified, either directly or indirectly, from information such as a name, an identification number, location data, an online identifier (such as an IP or MAC address), or factors that are specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Jurisdictional Reach

The GDPR has an extremely broad jurisdictional reach. It applies to companies that process the personal data of data subjects who reside in the EU, regardless of where the company may actually be located, and to the processing of personal data by controllers and processors in the EU, regardless of where that processing may actually take place. As such, it covers personal data that is collected from individuals who are physically in the EU, regardless of their citizenship or the geographic location of the company.

Thus, a non-EU business that processes the data of EU citizens will have to appoint a representative in the EU. If your company has an office, branch or subsidiary in the EU that collects, receives, transmits, uses, stores or otherwise processes personal data, then the GDPR applies to it, regardless of where the processing occurs.

Similarly, if your company offers goods or services to data subjects in the EU, then the GDPR applies to it. Also, if your company monitors the behavior of data subjects in the EU, then the GDPR applies to it.

The following are some of the steps that you should consider taking in preparing for the GDPR.

Appointment of a Data Protection Officer

The GDPR requires that a company hire a Data Protection Officer if the controller’s or processor’s core activities require regular and systematic monitoring of data subjects on a large scale or involve processing a large scale of special categories of data, such as race, political or religious beliefs or criminal convictions and offenses. The Data Protection Officer must have expertise in data protection law and practices and be able to fulfill the responsibilities set forth in the GDPR. While the Data Protection Officer does not have to be someone outside of the company, they must be able to perform their duties in an independent manner.

Obtain Informed Consent

In the absence of a legitimate interest, contractual necessity, or compliance with a local obligation justifying the data processing, the data subject must provide appropriate consent to such processing. Appropriate consent under the GDPR means informed consent, which means companies must explain which permissions data subjects are granting the company in clear, distinguishable and plain language, not legalese.

Generally speaking, data processors and controllers can only process a data subject’s personal data after having informed the subject of both the extent of the data processing and the uses to which the data will be put. The consent provisions cannot be simply buried in a longer document. The data subject must consent through an affirmative act, such as signing a written document or checking a box on a website or app. A controller must be able to demonstrate that the data subject’s consent was both valid and documented. Consent that is not freely given is not valid consent.

A data subject must also be able to withdraw their consent at any time. Furthermore, it must be as easy to withdraw one’s consent as it is to give it.

With respect to minors, “information society services,” which include online services such as social media sites, cannot be provided to minors under the age of sixteen without the parents’ consent.

This will only tangentially touch upon some of the requirements. You should consult with a knowledgeable attorney for all of the specifics.

Right to the Data

A data subject is entitled to a copy of their personal data free of charge and in a common electronic format. The data, and the information to which they are entitled from the data controllers, must be provided without undue delay, and within one month of receiving the request.

Data Portability

A data subject has the right to receive their personal data in a commonly used and machine-readable format and to transmit the data to another controller if technically feasible.

Limitations on Data Collection and Processing

Only personal data necessary for the purpose of the data processing activity can be collected. Moreover, the personal data can only be retained for the time period necessary to carry out the purpose of the data processing. Personal data cannot be retained in perpetuity under the GDPR, nor can personal data be used or processed for any purpose other than that for which consent was given.

The Right to be Forgotten

Data subjects have the right, in certain situations, to have their personal data erased, to terminate any further dissemination of their data and to have third parties cease processing said data.

Data Breach Notification

The GDPR requires that, within 72 hours of becoming aware of a data breach, companies report the data breach to both the authorities and their affected customers.

Train Your Workforce

The GDPR also requires that companies train their workforce on the proper way to handle personal data under the GDPR.


If all of this leaves you thinking that you’d be better off simply ignoring the GDPR, the fines that can be assessed should change your mind. The GDPR permits fines up to the greater of 20 million euros or 4 percent of a company’s worldwide annual revenue for the previous year.

As you can see just from this morsel of information, even though the GDPR does not become effective until May 25, 2018, it would be prudent to begin working now on ensuring compliance with it. If in doubt, consult a lawyer with expertise in this area of the law.

Post a Job

About the author

Ira Bornstein

Ira Bornstein

I have a plethora of experience both as an accomplished commercial trial and appellate lawyer and as a general counsel and have been rated AV by Martindale-Hubbell for over two decades. I have handled complex commercial matters and litigation throughout the United States, having represented parties in matters in over a dozen states. Besides handling innumerable trials (both jury and bench), I have successfully argued before the Supreme Court of the United States, numerous federal Courts of Appeal, the Supreme Courts of the States of Colorado and Illinois, and several states' appellate courts. I have appeared before administrative agencies of the United States and have participated in mediations and arbitrations, both as a litigant and as a neutral.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
/* ]]> */