What is GDPR, You Ask?

By Brian J. Lamoureux, & May 18, 2018Cybersecurity

Introducing the little-known (but hugely important) General Data Protection Regulation (GDPR).  We know, we know. You’ve never heard of it. And, if you did hear of it, you don’t think it applies to your company, to your college, or to your work as a consultant. Well, sorry to say, you’re probably wrong. GDPR likely applies to any business with a computer connected to the Internet.

What is GDPR, you ask? GDPR is a new regulation adopted by the European Union (EU) which becomes effective on May 25, 2018. It is a game-changer. GDPR is the EU’s new law to protect personal data and enhance the privacy of its citizens online. Among other things, GDPR:

  • empowers its citizens to have more control and say over how and when their personal information is collected, used, analyzed, and stored.
  • sets limits on the processing of personal data to specific and legitimate business purposes.
  • gives EU citizens the right and authority to obtain any data you have gathered about them and to require you to fix any inaccuracies or even erase their data (known as the “right-to-be-forgotten”).
  • requires you to use adequate security measures to protect this data and to promptly notify users of any breaches (i.e., within 72 hours in most cases).

GDPR will be enforced by national regulators in the EU who will have the authority to assess mind-bogglingly substantial fines for violations (i.e., the greater of 4% of a company’s annual revenue or €20 million (or $24,137,900 as of the writing of this post). (Yes, you read that correctly.)

Do we have your attention yet?

“But wait a second,” you say. “How can this law apply to me when I’m in the United States? This is America! No taxation without representation!” Yes, we know. However, GDPR’s reach is far and wide. If you obtain or use personal data (which the GDPR defines broadly) of any EU citizen, then GDPR likely applies to you. Although it remains to be seen how the EU’s regulatory authorities will seek to enforce the GDPR against American companies, given the close working and trade relationship between the United States and the EU, we expect that international law will permit GDPR enforcers to reach U.S. companies. And, our understanding is that there will be no grace period and enforcement will begin promptly after the May 25, 2018 effective date.

So, now what?

It’s too complicated to lay out all the steps to ensure GDPR compliance in a blog post. Therefore, please consider this list as a very general and high-level set of guidelines to consider:

  • First, a company’s ownership or senior management should be made aware of GDPR’s existence and upcoming implementation.
  • Second, a company should assemble a GDPR Task Force consisting of senior management members, legal counsel (either outside counsel or in-house), the company’s IT professionals, the personnel responsible for handling the company’s website and data gathering/tracking, and perhaps the company’s marketing representative. The purpose of the Task Force would be to begin to understand GDPR and think through how the company’s data practices are impacted by it.
  • Third, a company may need the service of a cybersecurity consultant to come in and audit or assess the company’s systems to get a solid handle on the data the company tracks and stores.
  • Finally, a company should ask its insurance broker about the possibility of purchasing coverage for GDPR events and enforcement actions. As of this writing, it seems that the insurance market is in a great state of flux/uncertainty on this issue, most likely because of the staggering amount of financial exposure under the GDPR. We seriously question whether current cybersecurity insurance riders will be adequately broad enough to cover GDPR-related losses and fines.

Based upon our discussions and review of the marketplace, we believe only a small percentage of U.S. institutions are prepared for GDPR’s implementation and potential impacts. GDPR is here to stay and no one wants to be the first U.S. test case caught in the GDPR’s net. We know this all sounds daunting, but you should resist the temptation to ignore GDPR and hope you never get a certified letter from Berlin, Paris, or London. Compliance with GDPR is not impossible, but time is running out.

Disclaimer: All blog posts are for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.

Back to Blog
Brian J. Lamoureux is a Partner with Pannone Lopes Devereaux & O'Gara LLC and a member of the Employment Law, Cyber Law, Litigation and Corporate & Business Teams. He is also Practitioner Faculty in Management (Business Law) at Providence College, his alma mater.

His extensive practice areas include complex commercial litigation, employment law, construction law, social media law, and creditors' rights. In addition to being an accomplished business litigator, he has developed into a nationally-recognized voice on cutting-edge legal issues relating to social media. He is a frequent presenter, published author, and broadcast commentator on the topic and regularly appears on WPRI-TV, NBC10 and NECN-TV, the nation's largest 24-hour regional news network. His recent newspaper columns and articles include Social Media Privacy Law Impacts EmployersShould Employees Use Facebook at Work?Privacy Rights Being Tested in the Digital AgeDigital Age Hiring Process Filled With DangerTexting in the Workplace? Dangers Abound, Email Privacy Not a Guarantee in Workplace, and Worry About Workplace Prejudice? Clean Up. Mr. Lamoureux's work has also been published in the Providence Business News and Rhode Island Lawyers Weekly.

He successfully briefed and argued before the First Circuit Court of Appeals in a case confirming surety's rights to indemnification. He was lead counsel in a successfully resolved certified class action regarding the demutualization of an insurance company before the U.S. Bankruptcy Court for the District of Rhode Island, and served as trial co-counsel in one of the largest defense jury verdicts in the Federal District Court in Massachusetts.

Mr. Lamoureux has been honored for his achievements by the Providence Business News and was selected as a member of its 2011 Class of "40 Under Forty."

He earned his J.D., magna cum laude, from the Syracuse University College of Law, where he was a member of the Syracuse Law Review and Moot Court Honor Society. At the same time, he received a Master of Public Administration from the Maxwell School of Citizenship and Public Affairs. He also holds a Master of Arts degree in Political Science from the University of Rhode Island, where he was a teaching assistant in American Government and International Relations, and a B.A. in Political Science, cum laude, from Providence College.

Prior to joining PLDO, Mr. Lamoureux was a litigation partner in a large international AMLaw 200 firm. He is admitted to practice in state and federal courts in Rhode Island and Massachusetts, and is qualified to serve as a receiver in Rhode Island Superior Court. Mr. Lamoureux is also admitted to practice before the U.S. Supreme Court. To reach Attorney Lamoureux, please call 401-824-5100 or email bjl@pldolaw.com.

Leave a Reply