May 15, 2018

GDPR - In A Nutshell

Let the Experts at Kronenberger Rosenfeld Help You Walk Through The Details

There’s a lot of noise swirling around the internet about GDPR - what does it mean, is my business covered, do I need to do something? Here at Kronenberger Rosenfeld, we specialize in internet law, and attorney, Ginny Sanderson, is leading our charge with respect to GDPR. Here’s a recent question and answer session with her that will help you understand GDPR better.

Q: What is GDPR, and as an American based business, do I need to comply?

The GDPR is a consumer privacy and data protection regulation that has been developed the European Union (EU). Enforcement will be done at the individual country level and it is likely that the United Kingdom will adopt this regulation, or a similar version. The GDPR covers businesses that collect personal information over the internet from consumers and the disclosures that they provide about this collection:

  • How it’s stored,
  • Who it is shared with,
  • How they, (the consumer) can access, change or delete it, and
  • How it can be transferred to another business provider.

In essence, the GDPR provides clarity about how and what personal data provided by the consumer will be collected, used,stored and shared when a consumer visits a website and/or performs a transaction. The second part of the GDPR focuses on the backend of data collection, i.e., when consumer personal data transferred from the person or entity who collected it (under the legislation, the “Controller”) to its vendor (a “Processor”), including transfers from the EU to Processors located outside of the European Economic Area, including in the United States.

The GDPR obviously applies to businesses located in the EU. but it also applies to U.S. businesses that collect or process personal data of EU residents. This is especially true for U.S.-based businesses that direct marketing or sales efforts to the EU, including by maintaining a website with an EU-specific top level domain (for example, .eu, .nl, .it), accepting payments in Euros, British Pounds or other European currencies, shipping product to EU addresses, advertising on EU-based websites, such as, or advertising in languages specific to EU jurisdictions. Even if you do none of these things, but your website receives a consistent amount of traffic from the EU, the best bet is to ensure your privacy practices comply with the GDPR. However, if you own a U.S.-based business that makes no effort to do business with EU residents, and only attracts the occasional visitor from the EU, you have a good argument that the GDPR does not apply. Only time will tell how aggressively the GDPR will be enforced against U.S.-based businesses.

Q: What is the most important criteria that the EU regulation considers when determining GDPR compliance?

The most important criteria with respect to the consumer-facing disclosures include:

  • Are they complete?
  • Are they easy to understand, and most importantly
  • Does the consumer make active, informed consent?

The last aspect is the noticeable change as it is no longer acceptable for a website’s privacy statement to simply be a link in the footer. Upon a user’s first visit to the website they need to be presented with a link to the privacy policy, a short explanation of what it includes, and an opportunity to expressly accept the conditions set out in the policy or leave the site.

In addition, there’s a need for the business to be compliant with respect to data storage, and in particular has the business taken reasonable steps and safeguards to ensure that the data collected is stored safely in a robustly secure environment, and that the business partners with which consumer data is shared are trustworthy and will use the data properly aligned to provisions set out in the privacy statement.

Q: What does a business that falls under the GDPR net need to do?

In most cases, the starting point is the revision of the website’s privacy policy to comply with the requirements stated above, which will most likely require some language changes and the implementation of a consent mechanism.

What makes GDPR compliance more onerous on companies is that, unlike historic practice, there is not a one-size-fits-all template that can be used to ensure compliance. Instead, the policy needs to be bespoke based on the specific facts and circumstances of how consumer data is to be collected, used, stored, and shared.

My recommendation is that you call me, (415) 955-1155, ext. 113, or send me an email and I can look at what you have and make recommendations about changes required for compliance. The timeline for compliance is May 25th and the penalties should your company be found to be non-compliant are very stiff.

Related Topics

Related Practice Areas

    This entry was posted on Tuesday, May 15, 2018 and is filed under Resources & Self-Education, Internet Law News.

    Related articles

    Get the help you need.

    We offer legal advice on a wide range of online topics

    Get legal help now

    Not seeing what you’re looking for?

    Submit your case in 3 minutes and get legal help fast.

    Submit your case online


    Give us a call
    Join our mailing list

    Stay ahead of legal matters

    The internet moves fast. We'll keep you informed.