The General Data Protection Regulation, GDPR, is the European Union’s digital privacy legislation. It provides rights to individuals and imposes strict obligations on businesses that process the personal data of residents of the EU and the European Economic Area. Personal data includes any information relating to an identified or identifiable natural person (known as a “data subject”). This means if you are collecting names and email addresses, you are subject to privacy laws whether it is GDPR or some U.S. version of it.
Why does this matter? It matters because most online businesses collect personal data from individuals all over the world. If you collect personal data, as most businesses with a website do, and that data belongs to an EU resident, your company is under the jurisdictional reach of this law.
Kam Law Firm is a boutique GDPR compliance law firm that works with business owners to help them:
- Determine whether or not GDPR applies to them
- Understand the requirements of GDPR
- Analyze their current data protocols to measure compliance or lack thereof
- Formulate and implement strategies to obtain and maintain GDPR compliance
Privacy law is constantly evolving worldwide and even state to state in the U.S. Kam Law Firm is a forward-looking firm that helps business owners keep up with the constantly evolving legal requirements for managing personal data. Many companies may not believe it is relevant to their operation because they do not specifically target EU citizens, but if your business is online, you need to be sure.
What Is the GDPR?
The General Data Protection Regulation was passed by the European Union in April 2016 and took effect in May of 2018. The GDPR was passed in order to provide uniform standards for how personal data should be managed for European Union residents. Requirements of the GDPR include:
- Requiring the consent of individuals before processing personal data;
- Providing data breach notifications;
- Handling transfer of data across borders in a secure manner;
- Requiring personal data to be deleted when the company no longer needs it or upon request by an individual;
- For certain companies, hiring a data protection officer; and
- Having a clear Privacy Notice.
Who Is Governed by the GDPR?
GDPR applies to the processing of personal data of individuals who are in the European Union, regardless of where the processing of that data occurs. This means that even businesses located in the United States are subject to GDPR if the business offers goods or services to EU residents (whether free or purchased services) or if the business monitors the behavior of EU residents.
That means that, even if you’re a business in California, if you handle the data of EU residents, you could be subject to the requirements and penalties imposed by the GDPR. A GDPR lawyer can review your business practices to determine if you are subject to GDPR violations.
What Happens If a Business Violates the GDPR?
Businesses that improperly manage personal data are subject to significant financial penalties and risk damaging their reputation. There are two tiers of fines for violators:
1. Tier One – For relatively minor violations, violators can face a fine of up to €10 million or two percent of that violator’s annual revenue, whichever is greater. It’s important to note that this percentage is based on gross revenue, and not profit.
2. Tier Two – More serious violations lead to more serious financial penalties. Those found guilty of major violations of the GDPR can face a fine of up to €20 million or four percent of the company’s annual revenue.
To put these fines in perspective, use this calculator to determine the fine amounts in United States dollars. As of now, the larger fine equates to nearly $23 million USD.
Is the GDPR Relevant to California Businesses?
Yes, the GDPR can apply to a business in California. If a company handles the personal data of even one EU citizen for business purposes, then the GDPR has jurisdiction. This makes GDPR consulting imperative to companies collecting personal data such as email addresses.
Recent mismanagement of personal data by large companies has led states to implement their own version of GDPR. In 2018, California enacted the California Consumer Privacy Act, or the CCPA, which is currently one of the strongest consumer privacy protection laws out there.
The CCPA is asking businesses to stop treating client data as their own. It provides consumers legal rights over their data and legal recourse if companies fail to comply. The passage of that law has prompted businesses to scramble for the legal advice of a CCPA lawyer in order to ensure compliance with those regulations by January 1, 2020. Although the law is not in effect until January, it provides consumers the right to demand information about the use of their data in the prior twelve months so companies need to have processes in place to respond to requests for information.
How Kam Law Firm Can Help
GDPR is overwhelming but enforcement is on the rise and fines are high. It is not an easy area to navigate alone. The regulations have only been around a few years, and worldwide, companies and attorneys are working proactively to implement best practices. If you need more information about GDPR or want to talk to a GDPR attorney to find out if it applies to your business, contact Kam Law firm today to schedule a complimentary initial consultation.