What Exactly Is GDPR?

General Data Protection Regulation (GDPR) is a regulation from the European Union that was implemented into legislation in all of the member states of the European Union. It’s about protecting natural persons with respect to the processing of their personal data. It is also meant to help companies be able to move data around between their divisions across Europe and to other countries.

What Is Considered Personal Data As Defined By The GDPR?

Personal information is very broadly defined in the GDPR as any information that can be used to reasonably identify, directly or indirectly, a natural person who is in the EU. That means live human beings; it doesn’t mean companies. It’s a little unclear what “in the EU” means, but it does seem to include more than just residents, and possibly even Americans or other non-EU citizens who are on vacation in Europe.

Any kind of location data, such as online usernames, actual names, addresses, physical appearance, or DNA is protected. Processing information is a very broad term. It means any touch of a person’s personal information, whether you are collecting it for a newsletter, using it in internal research for your company, selling it, or sharing it with third parties for any reason.

There is no minimum threshold. Even if you are just a blogger in the United States and someone who is in an EU country subscribes to your blog, and you collect their email address, you are going to be affected by the GDPR. There are questions about whether or not a European law can apply in the United States. For example, if the French data protection authority decided that a U.S. company had violated some provision of the GDPR and was therefore subject to a fine, how would that fine would be enforced in the United States? We don’t have all the answers yet, but as it’s written, this law applies regardless of where your company is located and how many data subject records you have.

Who Needs to Comply with The GDPR?

The GDPR divides companies who touch personal data into two groups – data controllers and data processors. Data controllers, for example online retailers, decide what personal data will be collected from consumers – data like names, email addresses, or mobile phone numbers. Often, a data controller will engage third parties, like an e-commerce platform or email management program, to store the personal data or to process payment information or send order status information to the consumers. Those third parties – anyone other than the data controller who touches an end consumer’s personal information for any reason authorized by the data controller – are data processors.  If a company processes the information of EU consumers on behalf of a data controller, the GDPR applies, regardless of where the data controller or the data processor is located.

For more information on the General Data Protection Regulation, an initial consultation is your next best step. Get the information and legal answers you are seeking by calling (615) 734-1188 today.