Review this exciting guide to some of the recent content additions to Practical Guidance, designed to help you find the tools and insights you need to work more efficiently and effectively. Practical Guidance...
By: Jeffrey D. Mamorsky , COHEN & BUCKMANN, P.C. THIS VIDEO SERIES CELEBRATES THE ENACTMENT of the Employee Retirement Income Security Act (ERISA), signed by President Gerald Ford on September 2...
By: Kirk A. Sigmon , BANNER WITCOFF THIS CHECKLIST OUTLINES KEY CONSIDERATIONS THAT ATTORNEYS should review when advising whether and how to copyright artificial intelligence (AI) and machine learning...
By: Erin Hanson , Arlene Arin Hahn , Sahra Nizipli , and Jordan Hill , WHITE & CASE LLP THIS ARTICLE SUMMARIZES VARIOUS INTELLECTUAL PROPERTY AND TECHNOLOGY (IP/IT) PROVISIONS, including sample definitions...
By: Damon W. Silver , Gregory C. Brown, Jr. , and Cindy Huang , JACKSON LEWIS P.C. Overview of Artificial Intelligence (AI) in Employment Decisions AI tools are fundamentally changing how people work...
Copyright © 2024 LexisNexis and/or its Licensors.
By: Nicholas R. Merker, Ice Miller LLP
The deadline for organizations to comply with the European Union (EU) General Data Protection Regulation (GDPR) is upon us.1 As of May 25, 2018, all entities covered under the GDPR must be able to demonstrate their compliance to EU regulators. The expanded territorial reach of the GDPR means organizations in the United States must comply if they either offer goods or services to individuals in EU member states and select other countries or monitor individuals’ behavior in those nations.
THE FAILURE TO COMPLY WITH THE GDPR MAY NOW trigger steep administrative fines of up to €20 million or 4% of the organization’s global annual revenue, whichever is greater. Notably, the GDPR does not apply solely to commercial businesses—not-forprofit organizations, charities, and educational institutions may all fall within the regulation’s purview.
Put simply, the GDPR is a regulation requiring organizations that process the personal data of individuals in the European Economic Area (EEA)2 to institute strong data protection mechanisms, incorporate privacy principles into the design of business processes, and allow EEA individuals to exercise certain rights over their personal data. The GDPR replaced the EU Data Protection Directive3 and creates more robust requirements for protecting EEA personal data.
The GDPR also significantly expands the territorial scope of European data protection law. Even organizations in the United States will need to comply with the GDPR if they either offer goods or services to EEA individuals or monitor EEA individuals’ behavior. Accordingly, your organization may be required to comply with the GDPR even if it does not have a physical presence in Europe.
Consider the following examples of scenarios in which your organization may need to comply with the GDPR:
To read the full practice note in Lexis Practice Advisor, follow this link.
Nicholas R. Merker is a partner in and co-chair of Ice Miller LLP’s Data Security and Privacy Practice. His technology background gives him the unique ability to bridge the gap between lawyers and technologists, often translating between the two disparate disciplines to resolve legal issues. Clients seek Nick’s counsel in all areas where data security and privacy are an issue, including PCI-DSS, the HIPAA Security Rule, online privacy statements, vendor contract issues, the EU GDPR, anti-SPAM issues, regulatory enforcement, privacy due diligence in mergers and acquisitions, privacy audits (i.e. GAPP), and data security standards and audits (i.e. NERC, SSAE 16, etc.). The author may be reached at nicholas.merker@icemiller.com.
To learn more about the European Union General Data Protection Regulation (GDPR), see
> GENERAL DATA PROTECTION REGULATION (GDPR)
RESEARCH PATH: Data Security & Privacy > International Compliance > General Data Protection Regulation (GDPR) > Practice Notes
For a sample GDPR privacy policy, see
> PRIVACY POLICY (GDPR COMPLIANT, GENERAL)
RESEARCH PATH: Data Security & Privacy > International Compliance > General Data Protection Regulation (GDPR) > Expert Forms
For a discussion on GDPR protection principles, see
> PROTECTION PRINCIPLES UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)
For an explanation of the consent requirements under the GDPR, see
> CONSENT UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)
To explore the data portability rights and requirements pursuant to the GDPR, see
> DATA PORTABILITY UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)
For more information on GDPR enforcement and sanctions, see
> SANCTIONS AND ENFORCEMENT UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)
To examine pro-controller data processing clauses, see
> DATA PROCESSING CLAUSES (DPA 1998 AND GDPR COMPLIANT, PRO-CONTROLLER)
To examine pro-processor data processing clauses, see
> DATA PROCESSING CLAUSES (DPA 1998 AND GDPR COMPLIANT, PRO-PROCESSOR)
1. General Data Protection Regulation (EU) 2016/679, http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN. 2. The European Economic Area consists of EU member states and Iceland, Liechtenstein, and Norway. 3. EU Data Protection Directive 95/46/EC. Unlike the GDPR, the EU Data Protection Directive was not a regulation that was immediately legally binding on EU member states. Instead, the directive required each EU member state to interpret the directive’s standards and pass national legislation to implement them.