This article was originally published by the Orlando Business Journal on May 4, 2018.

This new regulation has implications for Florida companies, both for-profit and nonprofit, that do business in the EU.

Starting this month, the European Union’s (EU) General Data Protection Regulation takes effect with implications for Florida companies, both for-profit and nonprofit, that do business in the EU. This is the first major change in EU data protection regulations in 20 years. The regulation is driven in part by the EU’s reaction to the global increase in data breaches, and by concerns about use of the private data of European citizens.

Accordingly, the regulation creates data protection standards beyond anything required domestically and has significant implications for Florida companies. The regulation applies to any online entity that owns a website accessible to European citizens, if the website collects user data.

The regulation does not bring a brand-new concept, but it does alter prior EU regulations about data protection and use. It applies to “controllers” and “processors” of personal information and other “sensitive data.” In basic terms, “controllers” determine the purposes and means of processing personal data regardless of whether they directly collect the data from data subjects. “Processors” process the data on behalf of the controllers. Personal information includes name, address, IP address and such online identifiers as cookies.

To continue to do business in the EU, most companies will have to implement additional privacy protections and adopt end-to-end data protection strategies that could include:

• Appointing a data protection officer
• Conducting data protection impact assessments
• Notifying the reporting authority and impacted persons within 72 hours of when an organization finds out about a breach
• Additionally, the EU may assert 2 percent of a company’s total annual revenue as a fine for a breach. The regulation’s goal is compliance, not levying of fines.

It is easy to understand that regulation will apply to companies who avail themselves of the European market. However, whether or not more tangential contacts with the market will trigger regulation scrutiny remains an open question.

Businesses that collect information from European citizens for purposes such as market research will want to examine the regulation to assess the implications it has for the data protection practices of their organization. Below are a few categories where the EU could assert that regulation requirements apply to a Florida business:

1. A company that conducts international internet sales
2. Organizations that collect data from the public, including chambers of commerce and businesses that maintain database information for European citizens.
3. Businesses that maintain relationships with seasonal European visitors to Florida.

Companies can mitigate risk by exceeding domestic standards and adopting some of regulation’s rigorous protocols. Doing so may mitigate regulation concerns and also stave off attention from domestic regulators, plaintiffs and stakeholders who claim fault with an organization’s data handling.

Data can be a great asset to many organizations, but it also comes with risk. Thus, leaders must evaluate and prioritize data protection within the organization.

Jacey Kaps and Steve Berlin are attorneys at RumbergerKirk. Kaps, a partner in the firm, holds the ANSI/ISO accreditation of Certified Privacy Professional US from the International Association of Privacy Professionals and the designation of Payment Card Industry Professional from the Payment Card Industry Security Standards Council. He may be reached at jkaps@rumberger.com. Berlin is an associate whose practice focuses on the legal impacts of technology. He may be reached at sberlin@rumberger.com.