In the previous two installments of this series, we introduced businesses to the new General Data Protection Regulation that went into effect in May. In a nutshell, GDPR is a European Union regulation aimed at increasing the privacy of anyone who shares data with companies, regardless of their location in the world. Among other things, it requires companies to make certain disclosures before gathering personal information, obtain consent before using that personal information and notify authorities within 72 hours of a data breach. GDPR also allows authorities to assess staggering penalties for breaches.
It is too early to tell when GDPR enforcement actions will begin in earnest, but two things have already happened that are worth noting.
First, because GDPR authorizes private citizens to enforce its requirements, some consumer activists in Europe have begun seeking enforcement against the tech giants Facebook, Google, Instagram and WhatsApp. Businesses should be on the lookout for individual consumers (and consumer advocates) sending GDPR-based notices and demands. If a business receives such demands, it should not ignore them and should consult legal counsel for guidance.
Second, Facebook and Google are bracing to see if they will be the first targets of GDPR enforcement. If that happens, we can expect large-scale battles in the European courts over the legality and effect of GDPR.
Many U.S. businesses remain stymied by GDPR and lack a true understanding of what it requires. Therefore … they ignore it and move on to more-pressing matters. If this has been your approach, it is not an effective long-term strategy. GDPR is here to stay, and we are already beginning to see similar laws being passed in the United States.
For example, California passed a sweeping data privacy law – the most stringent to date in the U.S. – this past June that will go into effect in 2020. Like GDPR, this law provides citizens with the right to know what data companies collect about them and the reasons for that collection. It also allows them to request their personal information be deleted and opt out of the sale of their personal information.
If you are one of the many businesses still not GDPR-compliant, what’s next?
First, you need to understand what GDPR is and how it affects your business. Shareholders, owners, customers and enforcement authorities will not accept ignorance of GDPR as an excuse.
Second, you will have to determine what you need to do to comply with GDPR. You can do this by meeting with your key decision-makers, your information technology professionals and your legal counsel.
Working on GDPR compliance is also a good opportunity for your business to take a hard look at its online presence and privacy/data protections.
If you are still not convinced your business needs to comply with GDPR, here’s one final thought. Suppose you plan on selling your business in the future to a large public company, for example. You negotiate a purchase price and are thrilled with the upcoming sale. Your lawyer gets the due diligence checklist, and the last item reads: “Seller’s compliance with GDPR.” Your heart sinks and you have a vague flashback to this article. You tell your lawyer that you’re not GDPR-compliant. Will this failure kill your deal? Maybe not. Will it possibly delay your sale, or worse, allow the buyer to negotiate a reduced purchase price? Perhaps. Regardless, the time to become GDPR-compliant is now, and not at the last minute.
Editor’s Note: This is the third of an occasional series on the European Union’s new General Data Protection Regulation.
Brian J. Lamoureux is a partner at Pannone Lopes Devereaux & O’Gara LLC in Johnston.