Privacy law: you need to worry about upcoming European union regulations.

Author:Gul, Saad
Position:LAW JOURNAL 2017

You are a North Carolina company. You have no offices in Europe. Barring the occasional employee vacation, the rare convention or isolated business trip, you have no personnel in the European Union. So do you need to concern yourself with the fact that the European Unions General Data Protection Regulation comes into effect on May 25, 2018? The answer will surprise you. In a word, yes.

By way of background, the GDPR is a European Union regulation. A regulation, as opposed to a directive, automatically becomes binding law throughout Europe on the designated day. Member states are not required to pass their own implementing legislation to render it enforceable. So on May 25,2018, the GDPR will be the law of the land in all European Union member states. Those member states will include the United Kingdom, since the Brexit withdrawal process will not be complete by May 2018.

The GDPR is built around one fundamental principle: the data subject (the individual) has the right to control his or her data. Contrary to popular belief, the GDPR does not apply to all data. It applies only to personally identifiable information or certain types of personal data that can be connected to an individual resident of the European Union. As the result of Europe's recent historical experience with data collection at the hands of totalitarian regimes, the European Union approaches data processing with far greater wariness than the United States.

In the United States, any data processing that is not specifically prohibited, such as health information by HIPAA or educational records under FERPA, is generally permissible. The European Union takes the opposite approach. Unless a specific exemption is available--typically based on the individual data subject's permission or "the legitimate needs of the data processor--data processing is forbidden.

So why should a North Carolina company care? First, the GDPR applies to any entity worldwide that processes an EU resident's personal data. And many companies process more data than they may appreciate. Do you have a website? Do you utilize any sales and prospect tracking software? If either the website or the software handles the personal data of EU residents, that potentially constitutes processing. In other words, many technology and other companies that do not consider themselves to be traditional data processors--those involved in advertising, education or training --may still be subject to the GDPR.

Second, even if a...

To continue reading