Today is May 25, 2018, the deadline by which companies around the word had to comply with the EU General Data Protection Regulation (GDPR)! This new legislation is intended to have a significant impact on data protection worldwide and its requirements affect a large number of business owners, officers, and decision–makers. We urge you to read this whole message and seek competent advice regarding the extent to which the GDPR applies to you.
Over the past months, businesses around the globe have been scrambling to get their policies, documents, and security certificates updated in order to meet today’s compliance deadline for the GDPR, which governs how companies collect, store, and transmit EU personal data. Personal data is defined as any record that could identify an individual—including names, phone numbers, and addresses—and has also been extended to digital identifiers such as IP addresses, cookie IDs, digital fingerprints, and user IDs.
Unfortunately, many Utah businesses mistakenly believe the GDPR does not apply to them since they are not doing business in the EU. However, the GDPR applies to any organization that collects, processes, manages, or stores the data of European citizens. Does your company have a digital presence in the EU? Do EU citizens access your website, purchase your products online, or receive your marketing information? If you answered yes to any of those questions, your company may be considered a “Data Controller” under the new law, subjecting it to strict regulations and steep fines for failure to comply.
Compliance does not merely entail keeping personal data safe, it also requires providing detailed information to individuals prior to obtaining their data and gives the data subject the right to inspect or change the data, the right to have the data deleted, and the right to be informed within 72 hours of a data breach. Large fines of up to €20m, or 4% of global GDP per business can be assessed for failure to comply with the legislation.
If your business is like many other Utah businesses, today, May 25, 2018, is the day you realized your company has already failed to comply with the legislation. If that is the case, or if you have questions about the US-EU Privacy Shield (a 1465075.1 separate, but related data privacy protection regime), please contact Tim Anderson firstname.lastname@example.org and Rachel Naegeli email@example.com, attorneys with Jones Waldo’s International Law Practice Group. They have assisted other Utah-based businesses with complying with both the Privacy Shield and the GDPR and can help you determine what steps your company needs to take to achieve compliance.