LAS VEGAS — Adult industry attorney Marc Randazza recently completed a certification program on European data protection law through the Academy of European Law in Trier, Germany.
The program focused on the new E.U. General Data Protection Regulation (GDPR), which will be enforceable on May 25.
All companies — including adult entertainment businesses — that collect data on European citizens must be in compliance with the GDPR within the next eight months.
“I completed this certification program on European Union Data Protection law to ensure that we are ready to help our clients comply with the GDPR,” said Randazza of Randazza Legal Group. “The problem is that many companies are not taking it seriously. Meanwhile, we have been immersed in this subject for three years.”
Randazza said that any company that collects data on citizens of the European Union will be required to comply with the GDPR, even if the company is not in the E.U.
The GDPR focuses not on where the company is located, but whether the company provides services or collects data on EU citizens, making the GDPR a global law with severe ramifications.
Randazza emphasized the adult industry needs to be ready for these changes.
For example, he said, many web-based adult businesses will need to make significant changes to their online privacy policies, because any company that collects information on E.U. citizens will need to ensure that their privacy policies reflect the new requirements set out by the E.U.
Randazza also counsels many of his clients on the practical aspects of the program, such as advising his clients regarding building a Data Protection Impact Assessment (DPIA).
Developing a DPIA is mandatory in some cases, and it is an important tool in ensuring that companies are both accountable and compliant with the new data processing guidelines.
Penalties for non-compliance with the GDPR will range from €10 million to €20 million, or between two to four percent global revenue. The GDPR states that the penalty of either the flat fine or the percentage of global turnover will be whichever number is greater.
In Trier, Randazza focused his time on studying both the remedies available to E.U. citizens and how to ensure that a company is in compliance with the GDPR to avoid these penalties.
The certification program also covered many of the practical aspects of the European right to be forgotten. The GDPR states that European citizens have the right to have their personal data erased in several situations, such as withdrawing their consent.
One way that Randazza expects to help his adult industry clients comply with the new right to erasure requirements is by carefully reviewing many of the form contracts that his adult industry clients currently use.
For example, many form modeling contracts may not be compliant with the new GDPR standards regarding the right to erasure.
Most large companies that process sensitive data will need to have a data protection officer, or DPO, and there are likely many large adult industry companies that fall into this category, Randazza said.
In Trier, Randazza studied many of the practical aspects of choosing a DPO.
Randazza is prepared to advise his adult industry clients regarding whether they need a DPO, and what type of documentation the company should keep on file if a company decides not to have a DPO.