GDPR Changes: What Business Owners Need to Know

While many startups and small businesses already have existing privacy policies in place (read here why its necessary for most businesses with an online presence), they will need to update their privacy policies in accordance with the new changes under the General Data Protection Regulation (“GDPR”), which will be embraced by European Union Privacy law on May 25, 2018. A list of the changes may be found here, and the ladies of Smith Shapourian Mignano PC have summarized these changes for your convenience below.  

First, the GDPR actually applies to all businesses, regardless of their location, as long as those businesses process the "personal data" (FN1) of data subjects residing in the EU.  It does not matter whether the processing itself takes place in the EU. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required), and the monitoring of behavior that takes place within the EU.  Businesses that are not located in the EU, but process the data of EU citizens, will also have to appoint a representative in the EU. So, these changes under the GDPR apply to, for example, a startup located in America that markets and sells services and/or products to customers in the EU.

Second, the tiered fines can be steep, and businesses must take heed.  On the low end, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. On the higher end, a company can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) for the more serious infringements such as not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts.

Third, the new changes require legalese to be omitted from antiquated website privacy policies, and require that website visitors are able to withdraw consent for use or sharing of their personal information as easily as they give it.  

The below bullet-pointed list summarizes considerations under the new GDPR that businesses must confront in evaluating their current privacy policies:

• 72-hour data breach notification;
• Disclosure as to whether or not personal data is being processed, where, and for what purpose;
• Provision of a copy of the personal data, free of charge, in an electronic format, such that the person has the right and ability to transmit that data to another controller;
• Ability to, upon request, erase personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data;
• Inclusion of data protection from the onset of the designing of systems, rather than an afterthought; and
• Increased internal record keeping requirements, and Data Protection Officer (DPO) appointment as necessary where businesses’ core activities consist of processing operations which require regular and systematic monitoring of EU data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offenses.

How Big Tech companies handle the new promulgated regulations will most likely influence startups and small businesses managing user privacy and data online.  Smith Shapourian Mignano, PC is available to answer any questions or concerns you may have regarding your business’ existing privacy policy and compliance with the new directives under the GDPR.

FN1. Personal data of EU persons is defined broadly in this case to include most types of information that business websites solicit from visitors or customers: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”  

This blog does not constitute solicitation or provision of legal advice, and does not establish an attorney-client relationship. This blog should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified attorney regarding any specific legal problem or matter in a timely manner, as statutes of limitations may bar your claim.