What Exactly Is GDPR?

General Data Protection Regulation (GDPR) is a regulation from the European Union that was implemented into legislation in all of the member states of the European Union. It’s about protecting natural persons with respect to the processing of their personal data. It is also meant to help companies be able to move data around between their divisions across Europe and to other countries.

What Is Considered Personal Data As Defined By The GDPR?

Personal information is very broadly defined in the GDPR as any information that can be used to reasonably identify, directly or indirectly, a natural person who is in the EU. That means live human beings; it doesn’t mean companies. It’s a little unclear what “in the EU” means, but it does seem to include more than just residents, and possibly even Americans or other non-EU citizens who are on vacation in Europe.

Any kind of location data, such as online usernames, actual names, addresses, physical appearance, or DNA is protected. Processing information is a very broad term. It means any touch of a person’s personal information, whether you are collecting it for a newsletter, using it in internal research for your company, selling it, or sharing it with third parties for any reason.

There is no minimum threshold. Even if you are just a blogger in the United States and someone who is in an EU country subscribes to your blog, and you collect their email address, you are going to be affected by the GDPR. There are questions about whether or not a European law can apply in the United States. For example, if the French data protection authority decided that a U.S. company had violated some provision of the GDPR and was therefore subject to a fine, how would that fine would be enforced in the United States? We don’t have all the answers yet, but as it’s written, this law applies regardless of where your company is located and how many data subject records you have.

How Have Companies’ Efforts Been So Far To Comply With The GDPR?

My experience has been primarily that people are at least reviewing their privacy notices. Some companies are having to start from scratch and do a privacy audit to figure out exactly what information they’re holding on people, how certain information is being used, and whether it’s being shared. A lot of companies already had a pretty good handle on that, particularly if they were health care companies that were subject to HIPPA rules or finance companies. Its other kinds of consumer-facing businesses that were not previously regulated that still have a lot of work to do.

For more information on General Data Protection Regulation In TN, an initial consultation is your next best step. Get the information and legal answers you are seeking by calling (615) 734-1188 today.