See the following guest article from our friends at Goldberg Segalla.
By Colin B. Willmott. Go here for a bio.
Even putting aside the U.S. Senate’s recent grilling of Facebook’s CEO Mark Zuckerberg, hardly a day goes by without the issue of data privacy and the internet popping up. The collection of data is not limited solely to social media companies like Facebook, of course — instead, collecting and monitoring data is a normal part of doing business.
While the U.S. Congress may now be considering regulations aimed at preventing abuse of customer data, the European Union’s General Data Protection Regulation (GDPR) is slated to be effective on May 25, 2018. So … American-based companies can rest easy for the time being until regulation is enacted stateside, right?
Wrong. The GDPR’s territorial reach is not limited to EU based companies. As a result, the following are a few key aspects companies should watch out for in connection with the GDPR.
Broad subject matter: The GDPR is concerned with ensuring that data protection is a fundamental right for natural persons. Under the regulation, the term “personal data” refers to any information relating to an identified or identifiable natural person. Factors of identification can be physical, physiological, genetic, mental, economic, cultural or social.
Territorial scope beyond the EU: The regulation will apply to companies outside of the EU if they process personal data of individuals in the EU. Processing refers to a series of operations including, but not limited to, collection, recording, storage, adaptation or alteration, use, and dissemination. In particular, companies that offer goods or services to individuals in the EU and/or monitor the behavior of EU citizens are subject to the GDPR.
Harsh penalties: For serious violations, administrative fines range up to €20 million or 4 percent of a company’s worldwide turnover, whichever is greater. For less serious violations, administrative fines range up to €10 million or 2 percent of a company’s worldwide turnover, whichever is higher. For large multinational companies, these fines can be colossal.
Timing for notification: In the event of a personal data breach, the controller of the personal data must notify the relevant supervisory authority within 72 hours. Due to the wide-ranging subject matter, broad territorial scope, and potential for harsh penalties, companies should review whether their activities/services would fall under the purview of the GDPR. If so, a close review of the regulation should be undertaken to ensure compliance. Moreover, companies would be well served by reviewing their insurance policies to determine if exposure for violations of the GDPR are covered.
CPAGold™ has been monitoring this situation as it impacts CPAs in the US. Although at this time liability arising from claims connected to breaches of the GDPR is not excluded – in fact the policy is silent – we are working on an appropriate clarification of coverage.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org