Business owners and CEOs often make incorrect assumptions about what the EU’s General Data Protection Regulation (GDPR) does and how it works. At the Law Office of S. Grynwajc, PLLC, we have extensive experience helping companies navigate the ins and outs of complying with GDPR. In today’s blog post, we’re sharing three main considerations that business owners and CEOs need to keep in mind when approaching data protection in Europe.
1. The GDPR is a framework, subject to a limited number of “national derogations.” Answers to questions about the GDPR are often not found in the text itself, but in the opinions of regulators and the national laws of individual countries. Most people do not know that the GDPR is not comprehensive and doesn’t have it all in one place. The GDPR itself is, in fact, a poorly drafted and often confusing text — check out our GDPR Glossary for more help navigating the text. There are over 50 areas of the GDPR where the GDPR does not have the final say, and defers to individual countries in the EU to legislate on certain of its provisions.
2. There are major consequences for failing to comply with GDPR. Breaches or violations of any type could result in hefty fines. How much will you be fined? It might be 20 million euros or 4% of your company’s worldwide turnover, whichever is greater. Clearly this means GDPR violations are something that companies collecting the data of EU residents for business purposes need to take seriously. It is essential to have a EU qualified attorney who knows how to read between the lines of the GDPR, who understands the context in which the text was drafted, and who can read and interpret the national derogations and opinions of the various EU countries’ regulators.
3. The GDPR makes it mandatory for certain companies that collect and process the personal data of EU residents to appoint a Data Protection Officer (DPO). This may apply to you if you process a lot of EU personal data, or if you systematically monitor EU users’ online behavior. But even if you may not be required to appoint a DPO you may still want to consider appointing a data privacy manager, i.e. a go to person on all matters of privacy, who can help you navigate an ever increasingly complex array of national privacy legislations across the world. We discuss this matter in greater depth here. Some companies may find value in hiring an outside DPO who is a dual EU and U.S-qualified privacy lawyer and can help them check off the compliance box of not only GDPR and other EU data protection laws, but also of U.S. federal and state privacy laws.
Contact The Law Office of S. Grynwajc, PLLC
As a lawyer from Europe where it was drafted, Stephan Grynwajc can not only help you understand the text of GDPR, but also the broader context, both culturally and legally. that can supplement the law and even shift the way it is interpreted. And because he is also a U.S. privacy lawyer, Stephan can come up with solutions that help you address not only your GDPR compliance but also, by the same token, your compliance with U.S. privacy laws and regulations, thereby saving you time and money! If you have plans to expand your business into Europe, or if you already have, we can help. Contact us today!