GENERAL DATA PROTECTION REGULATION POLICY GOES INTO EFFECT IN MAY
Q: What is the European Union General Data Protection Regulation (GDPR)?
A: The regulation goes into effect May 25, imposing a drastic transformation on EU privacy laws. This policy imposes several new requirements on companies related to reporting data breaches, and how companies store, protect and transfer personal data. It also gives additional rights to people who have shared personal data with companies. It was originally adopted by EU member states in May 2016. However, the EU gave companies two years to prepare for the requirements under the General Data Protection Regulation. It’s important for anyone who may do business in Europe of any kind to pay attention, as there are provisions for staggering penalties. The significant potential financial penalties provide reason enough for companies to be aware of the GDPR requirements.
Q: How do company operators know if this new policy applies to them?
A: The first question that companies tend to ask is, “Does the GDPR apply to me?” The answer is an easy “yes” for companies that are based in the EU or that have an office in the EU. The answer becomes trickier for companies that are based strictly in the United States. This is because the language of the GDPR is broad enough to include U.S.-based companies that don’t have an office in the EU. The GDPR applies to U.S.-based companies that offer goods and services to customers living in the EU, but it also goes one step further and applies to U.S.-based companies that monitor the activities of people living in the EU. If in doubt, it’s best to consult with an attorney.
Q: To what element of this law should Oklahoma companies pay particular attention?
A: The GDPR includes requirements for companies to report data breaches to authorities. The inclusion of a breach reporting requirement should not be a surprise since all 50 states have passed breach notification requirements. What makes the GDPR different is how it defines a data breach and who the companies are required to report a breach to. Under Oklahoma’s Security Breach Notification Act, a breach is defined as “the unauthorized access and acquisition of unencrypted and unredacted computerized data.” The GDPR requires this level of security, but it also includes “accidental or unlawful destruction, loss, alteration …” Along with expanding what constitutes a data breach, after a company is alerted to a data breach, it is required to report the breach to the government and to notify the individuals affected by the breach. Most U.S. states only require companies to alert the individuals affected by the breach.