GDPR summary: GDPR was created to help people control their personal data. Short for General Data Protection Regulation, GDPR protects the rights of EU residents and their personal information. Simply put, the GDPR is a new law that will replace the Data Protection Directive. It will be officially enforced on May 25, 2018, and aims to protect victims, witnesses, and other suspects involved in crimes, as such information is usually publicized. It is also meant to protect everyone’s personal information, which can include information collected when someone purchases products over the Internet, or signs up for e-mails from a retail store.

Notably, businesses that are located outside of the EU are in fact subject to the jurisdiction of EU regulators if wanting to collect information on an EU resident.

What Type of Personal Data is Protected

Personal data includes a variety of information, including the following:

  • Name
  • Social Security Number
  • Address
  • Cultural background
  • Economic background
  • Mental capacity
  • Genetic information
  • IP addresses
  • Race
  • Religion
  • Political orientation
  • Sexual orientation
  • Health information
  • Biometric data

Who Enforces the Regulation

Each company that has to abide by the GDPR rules will have a national DPO (“Data Protection Officer”) as the lead regulator, who is also someone employed under the Data Protection Act (“DPA”). Thereafter, the European Data Protection Board will have all national DPOs along with the European Data Protection Supervisor as representatives. The European Data Protection Board will also handle any potential legal disputes that could arise if someone believes his or her data has been used or stolen.

Data Controllers and Processors

Data controllers and processors have different responsibilities when it comes to protecting data rights of EU citizens. Such positions require the implementation of appropriate measures to protect the rights of individuals by keeping their personal data protected. Furthermore, if any data is at risk, then the data controller and processor must take certain actions to mitigate the risk, including the following:

  • Restore data in a timely manner if an incident occurs
  • Engage in periodic testing to evaluate the measures that are being used to protect personal data

Fines & Violations

There are various fines that are imposed if compliance with the new rule is not met.

Regulators can issue penalties equal to either the greater of 10 million pounds or 2% of the business’s global gross revenue for violations of bookkeeping or breach in privacy rights.

Furthermore, violations that are related to legal justification for processing, data rights, and cross-border data could result in a fine of up to 20 million pounds or 4% of the business’s entire global gross revenue.

Limitation on Consent

Consumers can’t be asked to agree to unfair contract terms in exchange for their consent. Therefore, businesses will need to very carefully review the contract that is put in place before having consumers enter into it. If the data is to be used for different reasons, then the consumer must separately consent to each data use, as it is being used for differing reasons.

Furthermore, consent is deemed invalid in a contract if the party is required to give consent to the use of his or her personal data when that data doesn’t otherwise need to be used, or alternatively, if that personal data is not necessary for the performance under the contract. An example of this might be when a mobile phone user wants to download an app on his or her phone, and in order to download the app, the mobile user has to input personal information, such as a name and e-mail address.

If you need help learning more about the GDPR, or if you own a business that either conducts business in the EU or does business with EU citizens and need assistance in re-drafting contracts with such parties, you can post your legal need on UpCounsel’s marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and have an average of 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.

Interested in learning more about GDPR compliance?

Download UpCounsel's free GDPR Compliance Whitepaper and learn the tools you need to put your company on the path to compliance. Included is a list of 10 practical steps to help organize efforts on GDPR, develop a compliance plan, and mitigate risk.