Data Protection Regulation in Europe

On May 25, 2018, enforcement of the European Union (EU) General Data Protection Regulation (GDPR), a set of requirements regulating how data is collected, used, transmitted, stored and destroyed, will begin. The GDPR replaces the 1995 EU Data Protection Directive, which only applies to EU-based businesses and data processing equipment. Under the GDPR, some U.S. organizations, including non-profits, will also be subject to requirements if they:

  • employ EU residents,
  • offer goods or services (paid or free) to EU residents (e.g. targeting or shipping to customers in an EU Member State),
  • have a branch, office, subsidiary or other establishment in the EU that collects, receives, transmits, uses, stores or otherwise processes personal data of or relating to EU residents, or
  • monitor behavior of individuals in the EU (e.g., Internet tracking to predict behaviors).

Organizations with a strong internet presence and those in the technology, retail, health care, insurance and banking industries have been noted as being some of the most deeply affected by the GDPR. 

Data Identification and Protection

Personal data under the GDPR broadly includes “any information relating to an identified or identifiable natural person (‘data subject’).” Identifiable means the data subject can be “identified directly or indirectly…by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This wide range of identifiers may also include a person’s address, phone, passport, Social Security, credit card, financial account, registration plate or driver’s license number, date of birth, photo, email address and employee information. Online identifiers can include an EU region IP addresses, metadata, cookies and social media posts. 

One of the key provisions requires that the relevant data protection authority be notified within 72 hours of finding a data breach, where feasible. In addition, if there is a high risk that the rights and freedoms of EU citizens will be violated by the breach, data subjects themselves must be notified without undue delay.

Consent and Rights of Data Subjects

There are also heightened conditions for consent. A request for consent to data processing must be separate from other terms and conditions and provided “in an intelligible and easily accessible form, using clear and plain language.” A data subject’s consent must be “freely given, specific, informed and unambiguous” and involve a clear affirmative action (an opt-in). The GDPR specifically bans pre-ticked opt-in boxes. It must also be easy for an individual to withdraw their consent.

Certain “special categories” of personal data, including “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation,” require “explicit” consent and “deserve specific protection.”

Data subjects have a right to request information regarding whether, how, where and for what purpose their personal data is being processed. The GDPR’s “right to be forgotten” also allows individuals to request that their personal data be rectified or erased and that no further processing or dissemination occur.   

The GDPR also requires companies to record personal data processing activities, including the categories of data being processed, categories of recipients of the data and data retention schedules. Organizations should ensure they have updated privacy notices and data protection policies. The data protection supervisory authority for the UK, the Information Commissioner’s Office (ICO), has recently published detailed guidance on the GDPR’s record-keeping requirements.

Impact of Non-Compliance

Non-compliance fines and penalties will be more significant — up to the greater of 4% of global annual turnover (revenue) or €20 million (over $24 million). This penalty will be imposed upon organizations that fail to acquire customer consent or violate the privacy by design requirements. Other violations have varying penalties depending upon the type of violation.   

U.S. organizations doing business or engaging in any of the above activities in the United Kingdom (UK) also should consider and monitor what effect Brexit, occurring at the end of March 2019, may have upon the GDPR and its requirements. Currently, Brexit has no effect, since the GDPR is a European regulation applicable in the UK. When the UK leaves the EU, however, the GDPR will no longer apply and the UK government will need to enact domestic legislation to apply similar standards. A data protection bill is currently being debated in Parliament. 

Compass’ Recommendation

U.S. organizations utilizing EU residents’ personal data must take privacy seriously. Compass suggests the following steps:

  • Assess if swift action is needed. Evaluate whether your organization is subject to the GDPR making sure to speak to key executives. IT, human resources and legal departments should be involved and consulted when performing this assessment.
  • Familiarize appropriate employees with the new requirements.
  • Determine the process to monitor affected data flow and implement any changes to policies, notices and processes to ensure compliance.
  • Define who will oversee these efforts and train necessary personnel to assist.

Compass is available to provide guidance and refer you to outside experts in this area to help you navigate these new standards and obligations. 


Human Resources Consulting Supporting the Pittsburgh Area and Beyond


Coaching for Peak Performance

At some point in your professional career, there may be an opportunity to work with a career coach. Years ago, companies hired coaches to work...


We drive organizational performance with proven human resource and business strategies. We have the experience and the talent to tailor fit a solution that encompasses any aspect of the employee life cycle, regardless of your company size or industry.


Coaching for Peak Performance

At some point in your professional career, there may be an opportunity to work with a career coach.

Compass Business Solutions
P.O. Box 1932, Cranberry Township, PA 16066

© Compass Business Solutions, Inc.
Privacy Policy / Site Map
Website Design & Development: Wall-to-Wall Studios