Beginning May 25th, 2018 a new regulation called the General Data Protection Regulation is scheduled to be implemented into European Union Law. This regulation was originally created two years ago on April 14th, 2016 and now, after a thorough transition period, will be enforced. For those not familiar with the 1995 Data Protection Directive, it is the former regulation that the GDPR will be replacing. Considered to be the most important change to data privacy regulation within the last two decades, anyone with European users and customers should familiarize and prepare for this change that is soon to come. With a new law that is as extensive as the GDPR, we will have to cherry-pick certain parts of it to review. All of the following information is especially important for anyone that is looking to start a business that may operate in Europe.
Grounds for Processing
According to the GDPR, in order to lawfully process someone’s data, there must be at least one lawful reason for doing so, which may include:
- Consent must be granted, or a specific purpose must be given by the person that is to have their data processed.
- A contract that has been agreed upon by both subjects requires their data to be processed to perform that contract.
- Processing of the subject’s data is necessary in order to fulfill a legal obligation.
- Processing of the subject’s data is absolutely vital in protecting interests in regards to subject themselves or another person.
Matters of Consent
As mentioned in the previous section, if there is not a more specific reason for the processing of someone’s data then there must be consent given by the subject. In regard to what actually qualifies as “consent,” there are changes to come with the GDPR that will affect what will be considered definitive evidence of consent, including the following:
- With a child, their parent or legal guardian must give consent on their behalf.
- Even if a data controller has provided proof of consent, the consent can then be withdrawn by the subject.
- Businesses that claim to record their calls for “security and training purposes” are no longer allowed to use these recorded calls as proof of consent. Calls also are not to be stored in cases where the subject withdraws their consent.
Call an Experienced California Business Lawyer Today
In the wake of all of the major changes that are on the horizon with the GDPR, anyone that does business (or who may eventually do business in Europe) should speak to an attorney as soon as possible. Ensuring compliance with the new regulations from the start will help avoid potential liability under the GDPR and unnecessary interruptions to business operations. To schedule a consultation with a Silicon Valley business attorney, call Kalia Law, P.C. at (650) 701-7617 or contact us online.