Q. What is GDPR?

A. GDPR stands for the General Data Protection Regulation. This European Union regulation took effect on May 25, 2018. You may have noticed that many of the websites you visit published updates on their website or delivered a notice regarding updates to their privacy policies in the days leading up to that date. Many of these updates were designed to comply with GDPR. GDPR alters how businesses and public organizations handle information submitted by or collected from their customers, clients and consumers. It also gives individuals greater ability to control their personal and private information held by these organizations.

Q. I don’t live or conduct business in any European Union nations; why should I be concerned with GDPR compliance?

A. The internet knows few boundaries. You may be subject to GDPR without realizing it. GDPR protects citizens of EU countries, as well as non-citizens who reside in EU countries, and does not depend on the location of the entity holding those people’s data. Most companies cannot guarantee that they will not collect data from visitors to their websites who happen to reside in the EU. We currently do not know how the EU would enforce the regulation against entities located outside the EU’s jurisdiction. However, the fines could be significant and it is possible that other countries will eventually follow the EU’s lead.

Q. What are some of the requirements to comply with GDPR?

A. This list is not exhaustive, so please consult an attorney if you are concerned about GDPR compliance. However, here are some of the most common GDPR requirements:

1) Consent – Many entities are updating their website privacy policies and/or terms of use to state that site use constitutes consent to collect the information of customers and visitors.

2) Breach Notification – Most U.S. states have requirements of notification in the event of a security breach where personal information is compromised. GDPR has among the highest requirements for notification of a security breach. Customers must be notified within 72 hours of discovery of the security breach.

3) Right to Access – Customers have a right to obtain confirmation about whether and how personal data is being processed.

4) Right to Be Forgotten – Many entities have a higher burden for demonstrating what data they are storing and why. When data is no longer relevant to its original purpose, customers can request that their data be erased and no longer distributed.

5) Data Portability – Customers have the right to obtain and reuse their personal data for their own purposes by transferring it across different IT systems. Entities are responsible for creating processes and identifying employees who respond to requests for the portability or erasure of personal data. For organizations with 250+ employees, a Data Protection Officer must be appointed.

Q. What steps can be taken in order to comply with GDPR?

A. If you are particularly concerned with managing GDPR compliance and work with EU citizens or EU residents, there are some steps that can be taken to manage the risk.

1) Consult an attorney for specific guidance.

2) Audit the types of data that you collect from customers or clients, and determine the legal or business purpose for collecting and storing such data.

3) Update your privacy policies and/or terms of use to allow customers and clients to “opt-in” to having their personal data collected.

4) Appoint an employee or member with the responsibility of monitoring security breaches and responding to requests for personal data access, portability or erasure.