You Need to Know: The General Data Protection Regulation

You may have already seen updates from social media giants and online retailers providing more transparency into how data is collected and used.  The question is, “Why now?”

In April 2016, the General Data Protection Regulation (GDPR) was approved with a two-year transition period, putting it into force this month.  Designed to harmonize data privacy laws across Europe, the GDPR applies to organizations located within the European Union (EU) and organizations outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all organizations processing and holding the personal data of subjects residing in the EU, regardless of the organization’s location.

According to the language in the regulation, “personal data” is any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person (e.g., name, photo, email address, bank details, posts on social networking websites, medical information, etc.). “Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

For processing to be legally compliant, at least one of the following must apply:

  • The data subject has given consent to the processing of personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; and/or
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.

While consent is not required for data collected due to an organization’s legal obligations, to the extent U.S. employers believe their respective organizations hold and process data of people residing in the EU, steps should be taken to obtain consent for the collection of any personal data from those individuals.