The GDPR Deadline

The GDPR deadline is May 25th, 2018 for all companies subject to the regulations of the European Union’s (EU) General Data Protection Regulation.

Companies subject to GDPR are any companies that collect personal data of EU citizens living in the EU. Compliance with GDPR standards can be a massive, multi-million dollar operation, in the case of large companies that collect and store user data, to much simpler due diligence for smaller, non-data-driven organizations.

Regardless of size and business type, it is important for companies to pay heed to GDPR and make sure they are in compliance with it. Failure to do so could lead to fines of up to €20 million or 4% of the company’s revenue for the previous year.

What is GDPR?

GDPR is a new set of requirements adopted by the EU in 2016 that require companies doing business in the EU to protect the privacy and personal data of EU citizens living in the EU. GDPR was created with the aim of formalizing the rights of EU citizens in regards to their personal data, and its regulating power extends to any company dealing with such data, even if they are not based in the EU.

Some of the major privacy issues that GDPR covers include:

  • The “tracking” of individuals. Major tech and internet companies like Google, Amazon, and Facebook gather users’ personal information, track their website visits with cookies, and then advertise to users with this tracked information. The GDPR makes it necessary for businesses to notify their users that this is occurring, inform them of what the information will be used for, and receive consent from the user for this to occur.
  • The retaining of personally identifiable information (PII). GDPR sets regulations on what kind of personal information can be collected (name, address, birthday, etc.), how it must be stored and secured, and what must occur if that data is stolen.
  • The cross-border transfer of information. GDPR holds that information pertaining to EU residents should remain in the EU, or if such information is to leave the EU, it only does so to destinations that meet the approval of the European Commission.

One of the main goals of GDPR is to target and crack down on privacy breeches for monetary gain by organizations that use data extraction, user tracking, and cookies to market or sell services to third parties. GDPR attempts to do this by preventing the gathering of such information to begin with or by providing stronger protections for what data is gathered.

What are the Tenets of GDPR?

The following are several essential tenets of GDPR that any business required to be in compliance should be aware of:

  1. Data Protection Officer (DPO) and Vendor Management. GDPR requires organizations that are impacted by GDPR to have a DPO on staff and a system of vendor management pertaining to GDPR regulations. The DPO must see that the business is both internally compliant to GDPR and that its vendors are, as well.
  2. Codes of Conduct. GDPR regulations stipulate that businesses set out codes of conduct related to how data will be gathered, used, and protected, as well as how users will exercise their “right to be forgotten.”
  3. Data Profiling and Consent. GDPR stipulates that the use of cookies and other means to track user data be posted for the users’ knowledge and that consent from the user be required for use.
  4. Cross-Border Data Transfer. GDPR demands that the data of EU citizens can only leave the EU to approved locations.
  5. Data Portability. GDPR gives users the right to have their information be moved to another provider. Just as cell phone numbers can be transferred from carrier to carrier in the U.S., so too can user data (such as photos, emails, and documents) be transferred under GDPR rules.
  6. Pseudonymization of Personal Data. What this refers to is the randomization of user data so it cannot be connected with the user. This is done to make the data anonymous, which is a GDPR requirement. Also, under GDPR, organizations must show why collecting the data is necessary, what it will be used for, and how the data will be deleted when the data is no longer being used.
  7. Notifications of Data Breach. GDPR requires a tighter timeframe for notifications of data breach, that now being 72 hours after the breach occurred.

If you need further help understanding the GDPR deadline, you can post your legal need on UpCounsel’s marketplace. UpCounsel accepts only the top 5 percent of lawyers. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.

Interested in learning more about GDPR compliance?

Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.