The EU’s General Data Protection Regulation: What is it and does it apply to me?

By Anil Patel

To address the growing concern surrounding data safety, the European Union has drafted the General Data Protection Regulation (GDPR), which will go into effect May 25, 2018. If you find that the GDPR may apply to your organization, there are ways you can prepare.

The GDPR expands upon the previous Data Protection Directive (Directive 95/46/EC) in several ways, one of which is that it applies to organizations even if they have no physical presence in the EU. Additionally, the GDPR focuses on individuals within the EU, by giving them rights that must be respected by organizations who process their data. Before processing, an organization must have a lawful legal basis to process any personal data of an EU individual. Failure to comply with the GDPR may cause organizations to face significant fines.

The GDPR applies to organizations when their processing of personal data is related to (1) the offering of goods or services to EU individuals or (2) monitoring the behavior of EU individuals. The “personal data” definition under the GDPR is incredibly broad and is defined as any information relating to an identified or identifiable natural person. This definition could include names, addresses, IP addresses, phone numbers, email addresses, financial information, medical information, or information found on social media websites.

As noted above, before any organization can process data of a EU individual, it must have a lawful basis. There are six legal bases offered to justify data processing; however, private organizations will probably use the legitimate interest legal basis most commonly.

Under the GDPR, individuals in the EU have more rights, some of which include the right of access, right to be forgotten/erasure, and right to object. The GDPR has been drafted from the consumer perspective, in that it focuses predominantly on the organization’s responsibility to protect the individuals’ data and gives the EU individual more control over their personal information.

The GDPR has also outlined the fines for non-compliance. It provides for administrative fines for violations, most notably, for violations of the individuals’ rights. If an organization has violated an individuals’ rights, it may be subject to administrative fines of up to 20M Euros or up to 4% of the total annual turnover of the preceding fiscal year, whichever is greater.

Organizations will also have to determine whether they need to appoint a Data Protection Officer. An organization must appoint a data protection officer if its core activities consist of processing operations, which by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale. This officer will be responsible for advising and monitoring the organization for GDPR compliance and will serve as the point of contact with regulators.

So where does this leave us? The GDPR is incredibly expansive, in part due to its extra- territorial scope since organizations no longer need a physical presence in the EU to be subject to its regulation. While it is still some uncertain how the GDPR will be enforced, organizations can prepare by documenting their legal basis, determining what data processes they will use, and updating their contracts with vendors. Furthermore, organizations in financial, audit, or accounting roles, should speak with their respective IT counterparts and partners to determine what types of personal information their systems may house. Think of the personal information of customers, contractors, employees, audit or accounting work-papers that contain personal information, or communications containing personal information.

EU member states are still issuing guidance on how best to prepare for the GDPR. One helpful resource can be found at the UK’s Information Commissioners Office. While the GDPR puts forth a higher standard than most regulations in the United States, organizations should consider whether they fall within its scope, and if so, how best to prepare. Even if your organization does not fall within this scope, you may want to consider the guidance given on the GDPR as a “best practice” moving forward. If you think you may fall within the scope of the GDPR you should contact an attorney for further guidance.

Anil Patel is an Assistant Attorney General in the Consumer Protection Section of the Ohio Attorney General’s Office, and is assigned to the Cyber and Privacy Unit where he performs cybersecurity outreach throughout Ohio, legal analysis of laws and their application to the current cyber landscape, and participates in helping revise proposed legislation. As part of the Cyber and Privacy Unit, he focuses on the CyberOhio Initiative, which is aimed at protecting Ohio businesses from cyber threats. Prior to working in the Cyber and Privacy Unit, Anil worked in the Medicaid Fraud Control Unit as a prosecutor for the Attorney General’s Office.