New privacy laws are now in force which impact companies in the EU and those outside the EU that operate EU-facing websites to market goods or services to EU-based individuals and/or monitor EU-based individuals, e.g., with cookies or other similar technologies. The changes are far-reaching and may require numerous amendments to the way affected businesses handle personal information.
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR has placed increased obligations on businesses including:
- a stricter definition of consent, making it harder to obtain, particularly for those companies with EU-based employees
- new laws on profiling, sensitive data handing, data retention and use, which will restrict what companies may do with the data they collect and how they store and handle the data they collect
- new obligations on and liabilities for data processors
- new breach notification requirements
- increased sanctions for failure to comply, which could result in fines of up to 4% of annual turnover or €20 million (whichever is higher).
The GDPR may require not only changes in business operations and new technology but also changes to configurations of existing technology. Becoming GDPR-compliant and maintaining GDPR-compliance needs to be a multi-stakeholder process, involving both internal company resources across the organization as well as external advisers. We can help you be GDPR compliant. We have a team of experienced practitioners who have worked towards compliance with numerous organizations in many sectors. If you would like further information on what you should be doing to become GDPR-compliant, please contact us – we are here to help.