The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. With fines as high as €20 million or 4% of global revenues, the GDPR cannot be ignored. How do you know if the regulation applies to your organization and how can you comply?

The first thing to understand is that GDPR is focused on privacy rights of the person (data subject), and the goal is to give the person more control over their own data (how much is allowed to be collected and how it is used). The regulation is designed to create transparency, minimize the use and collection, improve security and increase accountability by organizations for personal information.

Most of the tenets and goals of GDPR are good privacy practices that all organizations should consider adopting (i.e., only collect what you need, only use it for what you said you would, correct it if it is wrong and allow the person to opt out of further contact). Of course, there are many details and requirements listed in the GDPR – so how do you know if it applies to your organization?

The obvious cases where organizations must comply include those who:

• Have a physical presence in the EU
• Advertise, market or sell to people in the EU
• Collect, use or provide online data for targeting people in the EU with advertising, marketing or sales
• Collect, process, store or transmit personal data for other organizations with customers in the EU

Please note that a “data subject” and “personal data” have specific GDPR definitions. For instance, a data subject in GDPR terms is a person physically present in the EU, regardless of nationality. And, personal data under GDPR includes a person’s IP (computer) address if it can be linked to their other information (which is why so many websites have “cookie” warnings lately).

The only obvious case where GDPR does NOT apply is when your organization is not physically present in the EU, only does business in person and does not retain any personal information from anyone. Many organizations fall into the “it depends” category – and need to document their analysis of what aspects of GDPR apply to them and their business processes.

While assisting clients with GDPR readiness assessments, we’ve noted that a critical aspect of determining what applies to your organization is understanding what GDPR data your organization collects and how that data is handled. This is best understood by performing a data flow analysis for your business processes. Once you understand what the data is, how it is handled and how it is protected, you can begin addressing GDPR compliance requirements.

A good site for additional detailed information is the Article 29 Working Party, which provides information, insights and commentary on some of the more complex aspects of GDPR.

Remember the GDPR is focused on transparency and accountability, so whether you perform your own analysis, hire consultants or engage outside counsel, document your analysis and decision process.

^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}