Kahn, Dees, Donovan & Kahn, LLP, is a member of MERITAS Law Firms Worldwide, which is a leading global network of more than 7,500 attorneys at 182 independent law firms spanning 89 countries around the world. Quentin Vaile, Meritas European Regional Director, recently issued the following guidance regarding the EU’s General Data Protection Regulation (GDPR) and what it might mean to our clients. For additional information about specific impacts of the GDPR on your business operations, please contact Mark Samila at msamila@KDDK.com or (812) 423-3183, or Allison Comstock at acomstock@KDDK.com or (812) 423-3183.
**
The EU’s General Data Protection Regulation – What Meritas Members Should Know
Quentin Vaile | MERITAS | European Regional Director
phone+44 7903 772 299 |qvaile@meritas.org
The EU’s General Data Protection Regulation comes into force on May 25, 2018, and will fundamentally change the legislative framework for the use and protection of personal data in Europe.
The GDPR applies to every organization, regardless of their size, who service customers located in the European Union (i.e. offer goods or services, irrespective of payment, or monitor their behavior). If a company, or firm, has customers or clients in the EU, even if the organization itself is based outside the EU, it is likely that they will need to comply with the GDPR.
The financial sanctions for non-compliance with the GDPR are significant with fines reaching up to 4% of a company’s global annual turnover or Euro 20million, whichever is larger. Recently both Facebook and WhatsApp were fined in Spain for data transfer issues. While the fines imposed on Facebook and WhatsApp were not significant in this case, the potential for massive fines make compliance with the GDPR a major strategic issue for all companies.
Top 10 issues and recommended next steps members and their clients should take:
The GDPR imposes upon companies a number of obligations in terms of the processing (capture, use and storage) of personal data. The following are our top 10 issues that members and their clients need to consider to ensure they are compliant. They must:
- Review and amend all legal text and documentation which describes how companies use personal data to ensure it is GDPR compliant.
- Create and implement proper policies and procedures that govern the use of personal data, handling data subjects rights and which ensures accountability in the compliance of all obligations established by the GDPR.
- Employ and train suitable individuals to oversee the company’s data processing activities and GDPR compliance obligations.
- Appoint a representative within the EU, to ensure they only have to deal with one single national data protection authority.
- Train all staff who process customers’ personal data to ensure they are aware of their new obligations under the GDPR.
- Ensure that all data processors enter into proper Data Processor Agreements.
- Maintain a register or record of all data processing activities.
- Ensure that all data transfers to and from other regions outside the EU meet the standards defined by the GDPR.
- Incorporate robust data security systems to minimize the likelihood of data breaches and have proper procedures in place to follow in case of a breach.
- Ensure that data privacy is incorporated ‘by design’ into any new system adopted by a company which processes personal data.
The Meritas Data Protection Group
The Meritas Data Protection Group brings together Data Protection and Privacy lawyers from across the Meritas network to advise companies on all aspects of their domestic and international data protection legal needs.
For more information and articles, or to access principal members of the group, view the Data Protection webpage.
Also available is a short video on the steps companies should be taking to comply with the GDPR.
