Skip to main content
IMA Executive News & Views Blog

Does the EU’s GDPR Apply to Your Company?

by Aaron D. Charfoos and Stephen L. Tupper

Dykema is an IMA member law firm…

The European Union’s General Data Protection Regulation (GDPR) takes effect May 25, 2018. The GDPR will affect companies all over the world, regardless of whether they are located in the EU. Many US-based companies are surprised to find they must also comply or risk facing large fines. If these regulations apply to your company now, or may in the future, you can’t afford to wait. Do they apply to your company? If so, are you ready? Find out below:

What is personal data?

The GDPR protects “personal data,” which is any information directly or indirectly relating to an identifiable person (aka “data subject”). This includes: a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. It does not matter if the data subject has ever purchased your company’s product or services.

But I only do business in the United Kingdom. Will Brexit save me?

No. The UK will still be a member of the EU when the GDPR take effect in May. But even after it leaves, the UK has stepped up efforts to adopt regulations consistent with the GDPR in order to preserve continuity of data with key trade partners. In fact, the UK’s proposed Data Protection Bill, when adopted, might even go a little further than the GDPR.

What does it mean to “process” data?

The GDPR defines “processing” very broadly, so as to capture virtually any use of data, describing it as “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Put another way: If you have a contact list, you process data under the GDPR.

Controllers, processors…what are these?

A data controller is defined as a party that “determines the purposes and means of” personal data processing. A data processor is a party that does the actual processing. Both are regulated by the GDPR.


To view the full brief, click here.