Skip Navigation

6310 Hillside Court
Suite 160
Columbia, MD 21046

P. 410-290-0707

111 South Calvert Street

Suite 2700

Baltimore, MD 21202

P. 410-962-1199

General Data Protection Regulation

On May 25, 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) went into effect.   The GDPR is a regulation passed to protect European Union (“EU”) citizens privacy and data breaches.  GDPR applies to any organization that collects data from an EU resident or an organization that processes such data, such as a cloud service provider, which is located within the EU.  It applies to all companies that process an EU resident’s personal data.  This allows the GDPR to apply not only to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the online conduct of, any EU citizen. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Under the GDPR, personal data is defined as any information relating to an individual which would allow the individual to be directly or indirectly identified.  Personal data may include, name, home address, photographs, email addresses, banking details, posts on social networking websites, medical information, or a computer’s IP address.

Under the GDPR organizations must obtain valid consent to collect data from EU citizens.  Such consent must be affirmative, informed, voluntary, unambiguous and limited to a specific purpose.  The individual whose data is collected shall have the right to: i) have all personal data within an organization’s possession erased upon demand; ii) access their own personal data by request; iii) report and require correction be made to inaccurate data; and (iv) receive data in machine readable form so that the data may be ported.    Any breach of data protections must be reported immediately by the organization collecting or process the EU citizen’s data.  

All organizations subject to the GDPR will all need to appoint a data protection officer (“DPO”) to implement policies and procedures and to monitor compliance with the GDPR.  Organizations must take proactive measures to protect data and implement “Privacy by Design” protections.  This concept means that an organization must take proactive and preventive, and not reactive and remedial measures, for protection of privacy.   Privacy protection must be the default of the organization and privacy design must be embodied as part of the architecture of IT systems and the business practice of the organization

Organizations which breach the GDPR can be fined up to 4% of the company’s annual global income or approximately $25 Million, whichever is greater. The maximum fine can be imposed for more serious infringement violations, such as not having customer consent to process data or violating the Privacy by Design concept. There is a tiered approach to fines assessed against an organization depending on the charter and type of breach that has occurred.  The GDPR provides a right for any person who has suffered damages as a result of infringement of the regulation to file judicial action to receive compensation.   If there are multiple data processing entities responsible for such violation, each organization is liable for the full damage caused by the breach.

 


 

BTLG Attorneys At Law

Talk to a lawyer

Bold labels are required.

News from BTLG:

Voting Leave
Maryland employers have an obligation to provide paid leave for employees to vote under certain circumstances
Maryland’s #MeToo Bill – New Reporting Requirements
In the wake of the nation’s #MeToo movement, Maryland now joins the ranks of other states, such as Illinois and New York, that have adopted stricter sexual harassment policies.
Maryland Minimum Wage Increase 2018
Beginning on July 1, 2018, Maryland’s minimum wage will increase from $9.25 to $10.10 an hour.
General Data Protection Regulation
On May 25, 2018, the EU's General Data Protection Regulation went in to effect, regulating any business that collects or processes the personal data of EU residents
More BTLG News