How Does the EU Data Privacy Regulation Affect U.S. Businesses? (Part 2)

EPGD Law Intellectual Property Law

What are the Rights of Data Subjects?

Persons (i.e “Data Subjects”) are entitled to several rights in regard to their personal data, including:

  • Right to be informed – about the collection and use of their personal data;
  • Right of access – to their personal data;
  • Right to rectification – data subjects can ask data controllers to erase or rectify inaccurate or incomplete data;
  • Right to erasure – data subjects have to right to ask organizations to delete their personal data if: the data has been processed unlawfully; the organization no longer needs the data for the original purpose (and has no new lawful purpose); the organization relies on consent for processing data and person withdraws it;
  • Right to restrict processing – individuals can ask organizations to restrict processing their personal data if, for example: they believe their data is not accurate (organizations should stop processing until they verify the accuracy of the data); or if the processing is unlawful but the individual doesn’t want the data erased;
  • Right to data portability;
  • Right to object to processing;
  • Rights in relation to automated decision-making and profiling.

How can Organizations Comply with GDPR?

Compliance with the GDPR starts with a data map, a flow chart of what information is collected; where it is stored; who it’s transmitted to, and all other processes until final disposal or return of said information. Organizations must develop a compliance roadmap that identifies specific implementation tasks needed to achieve or improve alignment with the GDPR keyed to the provisions that require them. But remember that compliance is a process, rather than a project. Organizations should develop systems and empower staff to achieve compliance with the GDPR on an ongoing basis. This means developing and implementing governance, operational, and technology components within organizations in order to comply with the GDPR.

What are the Risks of Non-compliance with the GDPR?

Some of the risks associated with non-compliance are:

  • Public relations fallouts;
  • Loss of business;
  • Fines and penalties; and
  • Class action lawsuits.

Public relations fallouts can expose an organization to news and media coverage relating to a security breach in the organization, which will likely result in decreased public trust and loss of business by customers.

Loss of business relationships result with regard to other companies and organizations with whom an organization may do business with, that are within scope for GDPR compliance obligations – like for example contractors who may be required by to be compliant. These third parties may no longer be in business with your organization, as they are required to be in business exclusively with GDPR-compliant business.

Fines and Penalties, known as Regulator Fines may result out of non-compliance, including, up to 4% of annual global turnover. As an example, British Airways was fined $229 million, as was Marriott Hotels for $123 Million for GDPR violations.

Class action lawsuits may be brought by customers whose personal data was breached.

Who Enforces the GDPR?

The EU’s Information Commissioner’s Office (ICO) is responsible for enforcing GDPR.

EPGD Business Law is located in beautiful Coral Gables, West Palm Beach and historic Washington D.C. Call us at (786) 837-6787, or contact us through the website to schedule a consultation.

*Disclaimer: this blog post is not intended to be legal advice. We highly recommend speaking to an attorney if you have any legal concerns. Contacting us through our website does not establish an attorney-client relationship.*

Share this post

Silvino Diaz

Silvino E. Diaz’s practice ranges from Civil and Commercial Litigation to Entertainment and Intellectual Property Law. Silvino has earned a reputation as one of Puerto Rico’s foremost advocates for independent musicians and artists. As a result of his sustained commitment to creative industries, he was named Professor of Intellectual Property Law at Atlantic University College (Guaynabo, PR) – the Caribbean’s leading digital arts institution – where he spearheaded the “Introduction to IP” course for both the graduate and undergraduate programs, and was appointed by the Office of the President to develop an Intellectual Property graduate curriculum, where he served until moving to Miami in 2017. He is the founder of the service known as Starving Artists, where he offers innovative business and legal counsel for artists and creatives.


*The following comments are not intended to be treated as legal advice. The answer to your question is limited to the basic facts presented. Additional details may heavily alter our assessment and change the answer provided. For a more thorough review of your question please contact our office for a consultation.

Leave a Reply

Your email address will not be published. Required fields are marked *



Contact Us

"*" indicates required fields