Europe’s General Data Protection Regulation (GDPR) becomes enforceable on May 25th.
Intended to ensure data protection and privacy for all individuals within the European Union, GDPR is essentially a law about consent. GDPR aims primarily to give control to citizens and residents over their personal data.
GDPR applies to any company that processes personal data of EU data subjects. Yes, this law will even affect many non-European companies, whether or not they realize it yet.
Whether this new legislation makes it harder to do business in Europe depends on your perspective. I view it as an opportunity for companies that are innovative and agile to differentiate themselves. We discuss it with all of our portfolio companies and have even incorporated it into our investment thesis.
Europe is taking the lead on data privacy, which clearly is a hot issue in light of Facebook’s current data scandal. I would not be surprised if other regions of the world follow Europe’s lead. So any globally-minded, forward-thinking company should be looking at GDPR.
I was recently asked to offer some practical advice on GDPR for Japanese companies. My answer was that there are several practical things a company can do without hiring expensive “GDPR consultants.” Of course, some Data Controller and Data Processor obligations need to be clearly spelled out in a contract, so some moderate legal advice is often appropriate. For what it’s worth, I know of several lawyers in Europe with expertise on GDPR if anyone is looking for a referral. But overall, my practical advice would be: know which personal data you possess, on whom you possess it, why you possess it, and what you’re doing with it. When you design a new product, consider incorporating data compliance into the design stage.
Below is a very superficial synopsis of some of the key elements of GDPR.
Definition of personal data (according to the European Commission): Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Furthermore, different pieces of data, which when collected together can lead to the identification of a particular person, also would qualify.
Categories of companies affected: i) Data Controllers and ii) Data Processors. A Data Controller is a company that decides how and why the personal data is going to be processed. A Data Processor is an organization that will be processing that data on behalf of the Data Controller. Some companies will fall into both of these categories.
Penalties for non-compliance: Fines of up to 4% of a company’s global sales. I can understand why companies might be alarmed because the press writes relentlessly about these stiff penalties. However, many EU regulators have indicated that penalties are a last resort tool for enforcement. Most experts expect that a non-complying company will receive a lot of advance warning and guidelines for corrective action before a penalty is imposed.
Rights granted to EU consumers: Here’s an excellent table prepared by the smart lawyers over at SMAB which summarizes these rights (thank you, Simon Halberstam):
