On May 25, 2018, a new European privacy regulation called The General Data Protection
Regulation (GDPR) will come into effect. The goal of the GDPR is to provide citizens of the EU
and EEA with greater control over their personal data and assurances that their information is
being securely protected. The GDPR will be implemented in all privacy laws across the entire EU
and European Economic Area (EEA) region. It will apply to all companies controlling, processing
or storing personal information about individuals in Europe.
So how does the GDPR impact your U.S.-based business? If you think the GDPR does not apply
to you, think again. The GDPR applies to any business that does one or both of the following:
· Offers products or services to citizens of the EU.
· Collects personal information from citizens of the EU.
If your business meets either of these criteria, it doesn’t matter where your business is located.
This means that a U.S.-based business that simply collects email addresses from EU citizens will
be required to comply with the GDPR.
The GDPR signifies a radical reform to the current data protection regime and is going to
dramatically change the game when it comes to privacy and data. Your business may need to
make major and systematic changes to the ways in which you handle data in order to achieve
compliance. Under the GDPR, individuals have expanded rights, including:
1. The right to access (GDPR Art. 12, 15) – Individuals have the right to demand access to
their personal data and inquire how their data is used by the company after it has been
2. The right to be forgotten (GDPR Art. 12, 17) – If an individual withdraws their consent
from a company to use their personal data, they have the right to have their data
3. The right to data portability (GDPR Art. 12, 20) – Individuals have a right to transfer
their data from one service provider to another.
4. The right to be informed (GDPR Art. 12, 13, 14) – Consumers must “opt in” for their
data to be gathered, and consent must be explicitly.
5. The right to correction (GDPR Art. 12, 16) – Individuals have the right to have their data
6. The right to restrict processing (GDPR Art. 12, 18) – Individuals can request that their
data is not used for processing.
7. The right to object (GDPR Art. 12, 21) – this includes the right of individuals to stop the
processing of their data for direct marketing. There are no exemptions to this rule, and
any processing must stop as soon as the request is received. In addition, this right must
be made clear to individuals at the very start of any communication.
8. The right to not be subject to automated decision making (GDPR Art. 12, 22) –
Individuals have the right to demand human intervention, rather than having important
decisions made solely by algorithm.
Penalties for non-compliance are astronomic: €20 million or 4% of annual revenue, whichever is
greater. Do you have questions or concerns about GDPR compliance? Reach out to us at
email@example.com to learn more about what your business needs to do to comply.
Disclaimer: This post discusses general legal issues and developments and intended to serve as informational only and may not reflect the most current law in your jurisdiction. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. No reader should act or refrain from acting on the basis of any information presented herein without seeking the advice of counsel in the relevant jurisdiction. Archetype Legal PC expressly disclaims all liability in respect of any actions taken or not taken based on any contents of this article.