GDPR 101: What You Should Know About the European Union’s Impending Data Privacy Directive
If you are under the impression that the European Union’s (EU) General Data Protection Regulation (GDPR) doesn’t apply to you, there’s a good chance you could be mistaken. Despite the common misconception, the impact of GDPR extends far beyond companies based only in Europe. In fact, the regulation applies to any company that solicits, controls or otherwise uses or comes to possess the personal data of EU citizens.
In our first in a series of articles addressing GDPR, we’ll review the key tenants of the regulation, who it impacts and how companies can work toward compliance. In subsequent Insights, we’ll cover GDPR’s impact on third party vendor management as well as dive deeper into the meaning of “consent” as it relates to the regulation.
Where Did GDPR Come From?
The EU’s new privacy regulation was first approved by European Parliament in April 2016 and formally goes into effect May 25, 2018. The GDPR replaces the EU’s Data Protection Directive which was originally adopted in 1995 and is now considered outdated given the advances in technology and the growing risks associated with personal data.
Who Does GDPR Impact?
GDPR is not specific to companies based in the EU. Rather, any business that maintains or processes data related to persons located within the European Union is required to comply.
US-based companies within e-commerce, software, travel and hospitality, for example, are widely considered to fall under the compliance restrictions of GDPR given that they operate wide-scale online platforms and solicit personal data via their websites.
Companies qualify under GDPR as either data controllers – those that determine how and for what purpose personal data is used or stored – or data processors – those that process data on behalf of a controller.
|NOTE: Read more on the varying qualities of data controllers and data processors – as well as their specific requirements under GDPR – in this MFA Insights article.|
What Does GDPR Consider Personal Data?
GDPR’s definition of what qualifies as personal data is broad: “any information relating to an identified or identifiable natural person”. Unlike other recent data privacy regulations we’ve seen implemented – Massachusetts’s 201 CMR 17, for example – which more clearly define personally identifiable information (PII), the scope of GDPR’s reach remains somewhat unclear given the vague parameters. As such, companies required to comply will need to take expansive steps to ensure any information that could potentially be considered “personal” is protected.
What Are the Penalties for Non-Compliance?
The EU is taking GDPR very seriously, and as such, the penalties for non-compliance are quite severe. Failing to adhere to GDPR directives can lead to significant fines – up to $20 million euros (equivalent to $24.9 million USD) or 4% of global annual turnover, whichever is greater.
How Can My Organization Comply?
Companies should start by understanding what personal data they currently store and process on EU residents before they can begin to implement new standards for the protection of this data. Conducting an assessment to identify the types of personal data present, where that data is located, what you do with it and how long it is stored is a wise starting point.
The GDPR states that companies must provide a “reasonable” level of protection for the personal data of EU citizens, but “reasonable” is not specifically defined, leaving much in the way of compliance open to interpretation.
|In Part 2 of our Insights series on GDPR, we dive deeper into the differences between data controllers and data processors and address how organizations that work with third party vendors may be impacted by the regulation. Read here.|
In the meantime, if you have questions about your business’ compliance requirements with GDPR, please contact MFA.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.