Is your Business prepared for the new General Data Protection Regulation (GDPR) due to come into effect on 25th May 2018?

The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) adopted in May 2016, becomes directly applicable in all EU member states without the need for local implementing legislation on May 25th, 2018.

Is Your Business Ready?

This major revision to the EU’s personal data protection laws replaces member state laws implementing the Data Protection Directive (Directive 95/46/EC) and will likely require organization-wide changes for businesses with EU based customers or operations.

It must be noted that GDPR applies to businesses which are:

  • Established in the EU, regardless of whether the processing takes place in EU;  
  • Not established in the EU but that offer goods or services to EU-based individuals (free or paid); or
  • Not established in the EU that monitor EU residents’ behaviour. 

How to determine if the business is established in the EU:

It is important to examine the business’s operations for EU related activities and contacts such as:

  • Physical establishments in the EU;
  • Subsidiaries, affiliates, branches, representatives or agents established in the EU;
  • Real and effective activities conducted in the EU through stable arrangements, even if minimal.

If the business does not have an EU establishment, you must examine the business’s operations to see whether GDPR still covers its processing activities because they involve:

  • Goods or services offered to EU-based individuals or entities (free or paid);
  • Website or other online services accessed by or targeting EU based individuals, particularly in the country’s native language; or
  • Monitoring data subject behaviour that occurs in the EU, including internet-based online advertising or profiling activities.

From May 25, 2018, global organizations subject to the GDPR face enforcement risks for non-compliance and may also be subject to penalties, such as:

  • Civil and administrative penalties.
  • Criminal penalties if allowed by EEA countries’ local laws.
  • Damages in private lawsuits by supervisory authorities and data subjects.

Each country also has the right to implement other penalties into local law. In the event they do then each country is required, under the GDPR to notify the European Commission of any additional penalties they adopt by May 25, 2018 (Article. 84(2), GDPR).

Whilst the EU Directive does not set out the administrative penalties that supervisory authorities can enforce. It does however, set out two levels of administrative fines that may be issued by supervisory data protection authorities depending on the type of violation:

  • Upto 10,000 Euros or 2% of total worldwide annual turnover, whichever is greater.
  • For more serious offences, fines of up to 20,000,000 euros or 4% of total annual worldwide annual turnover, whichever is greater.

Therefore, businesses are no longer able to take this lightly and should act immediately to ensure they are fully compliant with GDPR prior to 25th May 2018.

GDPR Compliance Program

It is important to lay groundwork for a GDPR Compliance Program to ensure there is an internal compliance program for all to follow:

  • Designate a person or group within the business to lead the effort.
    • Educate the businesses senior decision makers about:
    • GDPR’s new risk-based compliance approach; and
    • The potential effects of non-compliance (including the significant expanded monetary sanctions for compliance violation, which can be upto 20 million or 4% of annual net revenue for serious breaches.
  • Empower the governance program to establish or change systems and processes within the business.
  •  Build support for the program across the business.
  • Meet with key stakeholders who collect and use personal data for the business to educate them on the new requirements.
  • Establish a reasonable GDPR implementation and compliance budget based on – business size, location, means and processing activity’s complexity and sensitivity.

How can Manubens assist?

To determine whether your business has an EU establishment or engages in activities covered by the GDPR please contact us and we will can provide you with an initial review and outline the key changes that need to be applied. 

Do you want more information?

Mandeep Johal Mandeep Johal

Mandeep is an experienced and organised U.K qualified solicitor with numerous years of experience. Accustomed to multi-tasking with the ability to work under pressure to exceed client expectations. Excellent legal and business skills, with the experience and capability to manage a team to achieve excellent results.

Barcelona - Spain

More from Mandeep Johal

English