Over 90 Total Lots Up For Auction at One Location - WA 04/08

Are you GDPR compliant? It's not just a question for EU-based companies

April 12, 2019
Business Affairs
By Robert J. Kerwin

On May 25, 2019 we will be celebrating the one-year anniversary of the European Union’s largest change in data protection known as the General Data Protection Regulation (GDPR). GDPR has reportedly caused major disruption in the ways companies manage customer data both in and out of the EU.

If your company is processing credit card information or other personal data from EU Citizens, you ought to be examining compliance and whether you must maintain a personal representative resident in the EU to receive, among other things, service of process or inquiries as to compliance. Only if the processing of data is really "occasional" and is unlikely to risk the rights of EU citizens, may you consider claiming an exemption from this requirement.

For those companies not resident in the EU, many are surprised that the GDPR regulation applies to their business where it is shown that the business processes personal data of EU data subjects. Translation: if a company is collecting, holding, monitoring or processing personal data of any person physically with the EEA (EU, Iceland, Norway, Liechenstein) the GDPR most likely applies.

Companies need to determine whether they are "controllers" or "processors" of personal data acting on behalf of the controller. GDPR treats the data controller as the principal party responsible for collecting consents from the data subjects, managing the revoking of consents, enabling rights of access and assuring adequate data security. The European Data Protection Board expects processors to take reasonable steps to secure data using tools such as encryption, pseudonymization, stability and uptime, backup and disaster recovery and regular security testing. If a data breach occurs, processors must notify data controllers without undue delay upon learning of data breaches. Companies may allow transfer of personal data to a third country only if legal safeguards are obtained.

Getting one’s arms around GDPR compliance is no easy task. With apologies to David Letterman (who, technically, has not been hosting the Late Show for four years), provided below are the top eight things to consider for GDPR compliance:

NO. 8. If you are not in GDPR compliance, penalties up to 20 million Euros (or more for companies over 500 million in total revenue may technically apply under applicable EU law). Since most U.S. states separately require written information security protocols to be in place, the FDA and other applicable federal agencies expect data protection to be a central portion of your compliance program, the GDPR penalty may be a catalyst for non-EU companies but there are already other far-reaching data security requirements.

You Must Be Logged In To Post A Comment