When will the GDPR go live?

The GDPR becomes enforceable starting 25 May, 2018.

Our company is based out of the U.S. Do we need to comply?

Yes. If you offer your goods or services to any EU residents, then you must comply with GDPR. Learn more here.

Our company is based out of the U.K. Do we need to comply given the upcoming Brexit?

Yes. First, the GDPR will go into effect before the 2-year leave deadline of Brexit (April 2019). Barring new legislation, UK firms must comply with the GDPR until then. Karen Bradley, the Secretary of State for Culture, Media, and Sport, has affirmed in October 2016 post referendum that “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” Second, even after Brexit concludes, UK firms that offer goods or services to EU residents still need to comply.

We do not charge for services we offer. Do we need to comply?

Yes. The GDPR applies to firms that offer goods or services to EU residents irrespective of if payment is exchanged.

We process personal data manually [instead of using automated means]. Do we need to comply?

That depends on if the output of said manual data processing forms or are intended to form part of a filing system, defined by Article 4(6) as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. In plain words, if the manual data processing contributes toward a database, then yes, you must comply. If said processing is one-off and does not enter a structured and accessible database, then the GDPR may not apply.

What happens if I do not comply?

You may be fined for up to €20mm or 4% of your worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects. Learn more here.

What type of data is considered to be personal data?

The GDPR categorizes a broad swath of data, such as name, email, location, IP address, and online behavior as personal data. Learn more here.

How do I obtain consent?

In general, consent needs to be explicit, opt-in, and freely given. This means popular opt-out based consent of today will no longer be acceptable. Learn more here.

Does my firm need a Data Protection Officer (DPO)?

You must appoint a DPO if you represent public authorities or organizations that process large scale monitoring or processing of sensitive personal data. Learn more here.