What GDPR Means to You

Here are the basics of compliance with the data-protection rule

6 Criteria
The following points must be met to collect private data:

1. The data is necessary for contract performance.

2. Consent has been given to collect data.

3. You have a legal obligation to collect the data.

4. It's of vital interest to collect the data.

5. Collecting data serves a public need.

6. It serves "legitimate" interests to collect the data.

Over the past several months, everyone's email inboxes have been overflowing with privacy and data-protection notices, thanks to the European General Data Protection Regulation, or GDPR. The rule, which went into effect on May 25, dictates that U.S.-based organizations (whether for or not-for profit) doing business with individuals located in the European Union are subject to various strictures regarding the acquisition or processing of personal data. Let's explore what this means in practice.


Note that "personal data" includes any information relating to an identifiable person. A name, home address, image, social-media postings or even the digital cookies generated by a person's website visits are all considered to be personal data.

To collect and process personal data, you must be prepared to demonstrate that you have a legitimate and lawful reason for doing so, as noted in the sidebar, "6 Criteria," at far right.


An important step under GDPR is to conduct a data audit that determines the source and nature of the data, how it will be used, who it is being shared with, where it is being stored, whether any third parties will handle it, how long it will be stored and what security level will protect it. You need to share all of these procedures with any employees who will have access to the data.

There has been much talk about the need to obtain consent before collecting and using personal data. Simply requiring an attendee or supplier to check a box granting permission to collect their data isn't enough. Permission must be clearly spelled out, affirmative and freely given. Records of consent must be maintained.

Procedures also need to be established in case a data breach occurs. Devise a detailed plan for how the investigation will take place, followed by reporting and adding further protections. Employees are required to report any breaches to a supervisory authority within 72 hours of knowledge of the breach.

Be sure to review any agreements with data-processing suppliers or third parties that involve personal data. Look for so-called Data Protection Addenda to existing contracts, which clearly set forth the responsibilities of the parties and the process of protecting data that will be collected. DPAs will be a key line of defense in many situations.

GDPR enforcement has been left to the EU's member states, who must pass their own laws governing violations. In general, penalties for noncompliance can be set at up to $25 million or 4 percent of the total global revenue of the offending organization.

Clearly, it pays to comply with GDPR.

Jonathan T. Howe, Esq., is a senior partner of the Chicago and Washington, D.C., law firm of Howe & Hutton Ltd., specializing in meetings and hospitality law. Send your comments or legal questions to [email protected]