Client Alert: Caught Off Guard By the GDPR?

Client Alert: Caught Off Guard By the GDPR?

By Rudy E. Verner and Jacob Scarr


The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25th. The sweeping new regulations appear to have caught many businesses off-guard. Those who are wondering what they need to do if they have not yet taken steps to ensure they are compliant can begin by answering a few questions and gathering information.

Who are your customers? If your business is collecting and processing online data of customers located in the EU, or if you advertise to EU residents, you are likely required to comply with the GDPR. Unless you are certain your business will never store or process the data of EU customers, you should ensure your company’s policies and procedures are compliant.

What types of data is your company collecting and what are you doing with it? Differences in how your business obtains and uses the personal data of EU citizens will determine your obligations and liabilities under the GDPR. You should know whether your company collects and stores personal data, what kinds of data are being processed and stored, as well as who can access that data. You will need to post a clear and precise notice of your data processing activities and obtain freely given consent from EU residents to collect personal data.

Can you comply with user requests? Your business will need to consider whether or not it can comply with the data subject rights and requests mandated by the GDPR. Companies will need to have procedures that allow EU data subjects to access, rectify, and erase data. The GDPR allows data subjects to revoke their consent to collection and processing at any time.

Are you prepared for a breach? The GDPR imposes strict requirements on conduct following a data breach. In most instances, when a security breach threatens the rights and privacy of data subjects, companies must issue a notification within 72 hours after discovering the breach, describing the consequences of the breach, and communicating the breach directly to all affected subjects. Companies may need a process for identifying and informing individual EU data subjects of a breach under certain circumstances.

Are you aware of the penalties? The EU imposes strict penalties on companies for violating the GDPR. If your company compromises an EU citizen’s data, the penalty could be up to 20 million euros or four percent of a company’s worldwide revenue, whichever is larger.

Have you updated your privacy policy? Most companies will need to revise their privacy policy to bring it into compliance with the GDPR.  Policies must be concise and written in clear and plain language. They will need to include a meaningful overview of the intended processing of user data. If your business uses additional services and features to process data, such as Google Analytics, your privacy policy may need to reflect how those services are collecting and using data, as well as how data subjects can access their data.

Any other requirements? Compliance with the GDPR may require the adoption of other measures, including ensuring that your vendor contracts are in compliance, determining if you need to conduct impact assessments, evaluating requirements for international data transfer, appointing a Data Protection Officer, and quite a bit more.

If you have any questions regarding GDPR compliance, please contact Rudy E. Verner at BHGR Law at 303-402-1600.  You can access the GDPR and other materials regarding the regulation at .

This article is intended to provide general information and, therefore, should not be treated as legal advice. If you have questions about a specific legal issue, you should seek the advice of a qualified attorney.