The right to privacy is a long-standing concept that goes back to English Common Law. The Castle Doctrine gives us the familiar phrase, \u201cA man\u2019s home is his castle.\u201d The castle can be generalized as any site that\u2019s private and shouldn\u2019t be accessible without permission of the owner. The idea of privacy quickly expanded to include recognition of a person\u2019s spiritual nature, feelings, and intellect. It\u2019s the right to be left alone.\nThe European Union (EU) General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95\/46\/EC to strengthen and unify data protection for individuals within the EU and address the export of personal data outside the EU. The EU parliament passed the Regulation\u2014after four years of debate\u2014on April 14, 2016, with an effective date of May 25, 2018.\nModern U.S. tort law\nThere are four categories of modern tort law in which the concept of \u201cinvasion of privacy\u201d is used in legal pleadings. These four concepts are remarkably similar to the revisions of GDPR:\n\nIntrusion of solitude: intrusion into one's private quarters\nPublic disclosure of private facts: the dissemination of truthful, private information\nFalse light: the publication of facts that place a person in a false light\nAppropriation: the unauthorized use of a person's name or likeness\n\nThe intrusion of solitude refers to a person intentionally intruding\u2014either physically or electronically\u2014into the private space of another. Typical examples include hacking into someone else\u2019s email or setting up a video camera to secretly view a person unknowingly.\nThe public disclosure of private facts is an act of publishing information that wasn\u2019t meant for public consumption. This concept is different than libel or slander, where truth isn\u2019t a defense for invasion of privacy.\nFalse light specifically refers to the tort of defamation. Communication of false statements or information that hart the reputation of an individual person, business, product, group, government, religion, or nation all fall within this definition.\nAppropriation of name or likeness prevents\u2014often at a state level\u2014the use of a person\u2019s name or image, without consent, for the commercial benefit of another person. This protects a person\u2019s name from commercialization in a similar fashion to how a trademark action protects a trademark.\nModern tort law extends beyond the protection of the individual. However, there\u2019s one grey area: how information is shared. GDPR directly addresses the need to protect personal information, outside the borders of a country, for the safety of its citizens.\nThe threat is here\nThere were 1,579 data breaches and over 179 million records exposed in 2017 according to the Identity Theft Resource Center\u2019s 2017 year-end report\u2014a dramatic 44.7 percent increase over 2016 data breaches. The breaches and records lost were spread across industries:\n\nBanking: 134 breaches, 3.1 million records\nBusiness: 870 breaches, 163 million records\nEducation: 127 breaches, 1.4 million records\nGovernment: 74 breaches, 6 million records\nHealthcare: 374 breaches, 5 million records\n\nThe threat to citizens\u2019 privacy isn\u2019t coming. This threat has already arrived.\nGDPR policy in a data-driven world\nSince the original 1995 directive, GDPR has established key principles that govern data usage, storage, and dissemination. The Regulation expands four core areas:\n\nTerritorial scope: this extends the jurisdiction of GDPR to all companies processing the personal data of subjects residing in the EU\nPenalties: an organization can be fined up to 4 percent of annual global turnover or \u20ac20 Million (whichever is greater)\nConsent: long, complex terms and conditions and data requests must be intelligible\nData-subject rights: breach notification, right to access, right to be forgotten, data portability, privacy by design, and data-protection officers (DPOs) have been clarified, often increasing the scope of GDPR\n\nTerritorial scope states that if the data includes subjects from the EU, the company must comply with the Regulation. This area also clarified the processing of personal data by controllers or processes\u2014regardless of whether the data processing happens in the EU. If EU personal data is touched, your organization is impacted. The penalties are severe, and companies are taking notice. In addition to the 4 percent penalty, there\u2019s a tiered approach to fine companies\u2019 2 percent for not having their records in order (EU article 28). Additionally, not fully and promptly notifying the supervising authority of a data breach will be costly. It\u2019s interesting to note that the \u201ccontrollers and processors\u201d make it clear that cloud and SaaS providers aren\u2019t exempt from GDPR enforcement. Consent, although previously technically available, was often buried within unintelligible terms and conditions. Consent now must be in clear and plain language, including easy-to-grant or withdraw consent.\nThe data-subject rights cover six areas in more depth:\n\nBreach notification: inform the supervising authority within 72 hours of the breach\nRight to access: notify individuals if their personal information is being processed and for what purpose\nRight to be forgotten: withdraw consent and erase all data traces (EU article 17)\nData portability: provide data in common-use and machine-readable form\nPrivacy by design: design data protections into systems\u2014versus a system addition\nData-protection officers: appointment of DPOs is mandatory for processing operations that require regular and systematic monitoring of data-subjects\n\nProcessing and using personal data\nThese onerous obligations replace the old Directive and apply to all twenty-eight Member States of the EU\u2014from the UK to Estonia. GDPR encourages companies to re-examine organizational policies, standards, guidelines, procedures, and processes.\nAs your organization assesses GDPR impact, there are 10 questions to keep in mind:\n\nHow does expanded territorial reach impact your customers, providers, and partners?\nDo you have sufficient DPOs in place with the appropriate programs?\nAre data accountability and privacy included in the business process and system design?\nAre the tasks of data processors defined into organizational roles with appropriate accountability and responsibilities?\nHas your organization revisited corporate policies and procedures while taking into consideration the broad-reaching scope of GDPR?\nIs consent to access the array of products, services, and interactions written in clear and plain language?\nDo customers understand how to clearly grant or withdraw consent?\nHave risk assessments been performed to quantify the economic and financial risk or non-compliance that could result in fines?\nIs the process for data-breach notification streamlined to ensure compliance within the 72-hour guideline?\nDoes the organization have clear guidelines on the definition of a \u201cserious\u201d breach?\n\nCompanies have a lot to do before GDPR becomes effective on May 25, 2018. Stay on top of the latest GDPR developments by following the Article 29 Data Protection Working Party (WP29). This working group is an independent European Union Advisory Body on Data Protection and Privacy and includes representatives from each of the EU member states. Together, we can improve how big data is processed while limiting the financial risk to our organizations.