The European Union's General Data Protection Regulation (GDPR) is a comprehensive privacy law that governs any entity that collects or processes the personal data of individuals located in the European Union (E.U.)* or the European Economic Area (EEA)**. Businesses of all sizes, regardless of where they are located, have had two years to assess their potential GDPR compliance risk and prepare for Friday's effective date.
The GDPR draws no distinction between non-profit and for-profit business activities, allowing for very few exemptions from compliance (mostly related to national security, public interest, law enforcement, and individual liberties). It poses pressing compliance issues for businesses that collect, process, store, and/or transfer the personal data of individuals from the E.U. and the EEA.
With one day left before the GDPR effective date, we provide the summary below to assist you with identifying the types of business activities and sectors most likely to trigger GDPR obligations, this week and beyond.
Which Business Activities and Sectors are Affected?
Businesses in all sectors are affected to the extent that they process personal information of individuals located in the E.U. or EEA.
Common business activities that may implicate the GDPR include marketing, fundraising, advertising, membership, software services, educational activities, medical services, employment, political campaigns, online services, social media, e-commerce, financial services, hospitality, travel, transportation, procurement, and videography / CCTV, to name a few.
Is GDPR likely to affect your company? Use our flowchart to find out.
How We Can Help
Members of Baker Donelson's Data Protection, Privacy, and Cybersecurity Team with expertise in advising clients on the GDPR are ready to assist you with the wide range of activities associated with compliance and will help you decide what comes next. We already have assisted numerous clients with:
- Gap Analysis using Data Inventory and Mapping / Information Governance results;
- Self-Assessments, Prioritization Strategies, and Remediation Plans;
- Data Privacy Impact Assessments for high risk and new products, services, and technologies;
- Documentation of legal bases for cross-border data transfers using E.U. model contract clauses, Binding Corporate Rules (BCRs), Data Protection Authority approval, E.U.-U.S. and U.S.-Swiss Privacy Shield certifications, and evaluating applicable derogations;
- Revision of relevant internal policies and procedures and interplay with existing policies and procedures;
- Revision of website and other online and offline privacy statements;
- Vendor management risk, including vetting of high risk business partners and revision of existing vendor/service provider, customer, and employee-facing contracts and notices, including the creation of GDPR-specific Data Processing Agreements;
- Breach notification documentation and procedures;
- Legal advice for third-party consultant engagements; and
- Compliance training.
You also may wish to review our recent three-part webinar series, conducted by our team in conjunction with two E.U.-based law firms providing local law perspectives. Additionally, please see our initial publication outlining the obligations of the GDPR and its potential impact on your business.
If you have any questions on how the GDPR will affect your business, please contact any member of Baker Donelson's GDPR Team.
* The following countries are currently members of the European Union (the E.U.): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. Note that Switzerland is NOT a member of the E.U.
**The European Economic Area (EEA) includes Iceland, Liechtenstein, and Norway.