CLIENT ALERT: Europe’s New Data Privacy Regulation

CLIENT ALERT:  Europe’s New Data Privacy Regulation

On May 25, 2018, the European Union (EU) will replace its current data privacy regulations with the General Data Protection Regulation (GDPR). The GDPR requires any company which handles EU citizens’ personal data to implement a number of operational changes in order to further protect online information. This sweeping privacy regulation affects companies worldwide and it is vital to know whether your company needs to comply, and, if so, how to achieve compliance.

Territorial Scope of the GDPR.  The scope of the GDPR is broad:  it applies to companies located within EU Member States and to companies outside the EU, including those in the United States.  A business is subject to the GDPR if it collects or stores personal data of EU citizens in connection with:  (1) the offering of goods or services to such citizens in the EU, or (2) the monitoring of EU citizens’ online behavior.

Key Components of the GDPR

►  Consent: Consumers must now provide explicit consent before businesses can collect sensitive personal data.  Such consent must be freely given, informed and unambiguous. Requiring consumers to opt-out of data collection is no longer permissible.

►  Data Breach Notification:  Companies must notify applicable regulatory agencies of a data breach affecting personal data within 72 hours from its discovery.  

►  Data Security: Companies that process data on behalf of other businesses—such as third party advertisers and companies providing data analytics—are required to implement appropriate technical and organizational measures to protect data subjects’ rights.  Companies can demonstrate compliance with these data security requirements by adhering either to an approved code of conduct or certification mechanism.

►  Right to Access:  EU Citizens will have the right to obtain from a company confirmation as to whether personal data concerning them is being collected, stored, and used, and for what purposes. The company shall provide a copy of the personal data, free of charge, in an electronic format.

Penalties for Non-Compliance with the GDPR. Non-compliant companies subject to the GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). The penalty system is a tiered approach based on the severity of the violation.

Next Steps.  If your business has customers or subsidiaries in the EU, or if you advertise your goods or services to EU citizens, you should start taking steps to comply with the GDPR’s sweeping changes.  This summary is simply an overview of the GDPR’s main provisions.  You can access the GDPR and other materials regarding the regulation at If you have any questions regarding GDPR compliance, please contact Rudy E. Verner at BHGR Law at 303-402-1600.

This article is intended to provide general information and, therefore, should not be treated as legal advice. If you have questions about a specific legal issue, you should seek the advice of a qualified attorney.