GDPR: The EU’s New Data Protection Law

April 17, 2018 


On May 25, 2018, a new data protection regulation entitled General Data Protection Regulation (“GDPR”), Regulation (EU) 2016/689, will come into force in the European Union (“EU”) and its 28 Member States. The GDPR provides significant new data privacy protections for individuals (“data subjects”), with corresponding requirements that must be implemented by organizations, regardless of location, that control or process the personal data of individuals located in the EU.

What are the Requirements of the GDPR? 

With the explosion of the Internet, social media, and online marketing, it was only a matter of time before the EU would revisit its data protection regulations.  The GDPR applies to the collection and processing of personal data in connection with an automated process or part of a manual filing system (both direct and indirect personal data, including: name, location, and online identifier).  Under the regulations, an organization needs a lawful basis to process personal data and is required to satisfy additional requirements to process “special data” which, among other categories, includes: race; ethnic origin; religion; politics; and sexual orientation.

The GDPR imposes far reaching requirements on “data controllers” (organizations that determine the purpose and means of processing personal data) and “data processors” (third parties who process data on behalf of controllers) within the EU, as well as organizations located outside the EU if the organizations: (1) offer goods and services to persons in the EU; or (2) monitor behavior of individuals in the EU.  Bear in mind, however, mere website accessibility by persons in the EU is likely insufficient to establish intent to offer goods and services to persons in the EU or its individual Member States.

To ensure compliance with the GDPR, organizations must institute appropriate technical and organizational measures to implement data protection principles. In addition, organizations should, and in many cases will be required to, appoint a data protection officer (“DPO”), such as an employee or external consultant who has “expert knowledge of data protection law and practices” that must “directly report to the highest management level.”  Organizations should implement policies consistent with the GDPR for: (1) processing personal data (which would be the minimum amount necessary to accomplish the purpose for which it was provided by the individual); (2) deleting data when there is no longer a need for it; (3) document retention; (4) response to data breaches; (5) disclosure of personal data; (6) employee privacy training; (7) maintaining an up-to-date privacy policy and terms and conditions; (8) review of encryption software; and (9) regular compliance policy reviews and/or audits.  Organizations should have the DPO carry out a “data protection impact assessment” for any new technology or high-risk data processing activities, such as large-scale processing of sensitive data.

Data controllers are required to have a written contract with data processors to ensure organizational and technical compliance with the GDPR (the GDPR sets forth what needs to be included in these contracts).  The GDPR also provides detailed restrictions on the cross-border transfer of personal data, which will have significant implications insofar as United States civil litigation discovery requests are concerned.

The GDPR requires data controllers to self-report security breaches to regulators within 72 hours of the subject breach (unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects) and to data subjects where the breach is likely to result in an elevated risk to the rights and freedoms of data subjects “without undue delay.”

New Rights for Data Subjects 

The GDPR will introduce new rights for data subjects, including the right to request and obtain a copy of their respective personal data that an organization controls, processes, and/or transfers.  Data subjects are entitled to: (1) know how long their data will be stored; (2) know how they can have the organization delete it (“right to be forgotten”); (3) know the purpose of processing their data; and (4) lodge a complaint with a supervisory authority.  Many expect that there will be a flood of data subject requests asking for the deletion of their personal information.

The New Standard for Consent

 Consent under the GDPR must be express, not implied (i.e., no pre-checked consent boxes). For consent to be express, the consent must be:

  • Unambiguous (i.e., checking an unpopulated checkbox);
  • Freely given (i.e., not conditioned on purchase, use of website, access, etc.);
  • Specific (i.e., consent cannot be bundled, each purpose requires another consent checkbox);
  • Informed (i.e., data controllers must provide their names, why they want your data, etc.); and
  • Explicit (i.e., only for certain processing activities, such as sensitive data)

The consent obtained from data subjects must be documented (each data controller must be able to provide evidence of consent). In addition, data subjects must be advised as to how to withdraw consent, which should be as easily accomplished as the procedure by which consent was provided.

Non-Compliance with GDPR can Be Costly

If a company or organization violates or fails to comply with the GDPR, the financial consequences are severe and include administrative fines depending on the severity of the violation. Fines are subject to due process and judicial review, but EU Member States can impose additional penalties, including criminal sanctions. In addition to the foregoing, individuals have the right to obtain compensation from both controllers and processors for material and non-material damages that they suffer. Please note that controllers and processors can be held jointly and severally liable and can bring claims of contribution against one another.

How to Avoid GDPR Liability 

To avoid GDPR liability, organizations should, among other things, establish and implement policies and procedures regarding their protection and handling of the data of individuals that they control/obtain, conduct staff training, hire DPOs, and establish breach response protocols. These measures can help identify, prevent, and reduce regulatory and/or legal liability. Companies should review all contracts with business partners to ensure compliance with the GDPR and review insurance policies to make sure that GDPR-related coverage is in place. In addition, organizations should keep records of GDPR organizational and technical measures that have been implemented. This will be useful in the event of an audit by a supervisory authority.

Given the complexity of the GDPR, any company that controls, processes, or collects data from individuals located in the EU should consult with experienced counsel to ensure that all of its data collection, use and sharing policies and procedures are compliant with the new regulations.  If you are interested in learning more about this topic or need assistance with GDPR compliance, please e-mail us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney.  Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising

Related Blog Posts:

FTC Updates Guidance on COPPA Compliance

NY AG Targets Mobile Health Applications Over Privacy Policy, Misleading Claims Concerns

FTC Seeks Comment on Federal Email Law


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.
FTSA TCPA Telemarketing telemarketer note pad lawsuit

FTSA Lawsuit Update

Readers of our blog may recall a recent piece in which we discussed a Florida Telephone Solicitation Act (“FTSA”) lawsuit pending in the United States

Read More »

Trending Topics

FTSA TCPA Telemarketing telemarketer note pad lawsuit

FTSA Lawsuit Update

Readers of our blog may recall a recent piece in which we discussed a Florida Telephone Solicitation Act (“FTSA”) lawsuit pending in the United States

Read More »