EU GDPR – Yes, it may apply to you! -by Christine E. Nicholas-

The European Union’s new General Data Protection Regulation took effect on May 25, 2018.  If you receive orders from and ship goods to EU residents, you will process personal data of the EU resident to fill the order and this regulation applies to your Idaho business.

Under the regulation, “personal data” is “any information relating to an identified or identifiable natural person,” such as a name, identification number, location, online identification of attributes specific to the “physical, physiological, genetic, mental, economic, cultural or social identity” of that person.

So, if you offer goods or services to persons in the EU through a website or over the phone, or process orders for a party offering those goods or services, regardless of whether payment from an EU person is required, you are likely subject to the new regulation.

If you don’t ship goods to someone in the EU who has purchased them, but you have an agent or employee resident in the EU, your HR Department will be collecting personal date of an EU resident and the regulation will apply to you.

Data protection principles are at the heart of the regulation, which requires extensive information be provided to data subjects concerning the processing of their personal data, limited use of the personal data, minimal collection of personal data, steps to ensure inaccurate personal data is erased or corrected promptly, secure processing and accountability to demonstrate compliance with the regulation’s data protection principles.  The regulation’s mandatory personal-data breach reporting needs to be understood and complied with, and a data protection officer appointed.  If you don’t already maintain records of your processing activities, you need to.

Failure to comply when required gives rise to administrative fines and a private right of action by affected data subjects, not to mention negative publicity and corresponding impact on public opinion.

If you need assistance understanding and complying with the new EU GDPR, give us a call.