GDPR & LOL Digital Properties

Internal Use

GDPR BasicsThe General Data Protection Regulation (GDPR) is a far-reaching privacy law governing the collection & use of personally identifiable information (PII) of European Union (EU) citizens and residents.

GDPR affects businesses “established” in the EU – meaning they have a physical presence within the EU – as well as businesses located outside the EU who:

• Offer goods & services for sale within the EU; or• Monitor the behavior of EU citizens & residents (think behavioral advertising or

what EU regulators call “profiling”).

The maximum penalties are severe: € 20,000,000 or 4% of total annual revenue –whichever is greater. To put that in context, LOL’s 2017 revenue was $13.7 billion. 4% of that is $548,000,000.00.

GDPR goes into effect May 25, 2018.

Internal Use

GDPR’s Data Principles

GDPR Data

Principles

Lawfulness

Purpose Limitation

Data Minimization

Data Accuracy

Storage Limitation

Integrity

Be transparent & fair

Collect data for specified &Legitimate purposes

Limit data collection to necessities

Keep updated & allow for user updates

Keep data only so long as is necessary

Data Security to protect against unlawful access/loss

Internal Use

Does GDPR Apply to What I’m Doing?If you operate a website that collects PII (such as IP address, contact information, etc.), then it is possible for nearly anyone in the world to access your site and provide you their PII.

If someone from the EU does this, do I need to comply with GDPR? Consider this 3-Part test:

• Does the business maintain a physical presence in the EU?• Does the business have employees in the EU?Established

• Does the business offer Goods or Services for sale in the EU?Goods or Services• This can be a difficult analysis, if the first two scenarios don’t

apply, but you are collecting data from EU individuals, please contact privacy@landolakes.comMonitoring

Internal Use

GDPR & Vendors

GDPR anticipates that many companies utilize 3rd party vendors to assist with business functions, including data processing.

If one of our vendors violates GDPR while performing those functions on our behalf, LOL could be held liable.

If you are working with a 3rd party vendor that could or will, process personally identifiable information from EU residents, please contact privacy@landolakes.com

Data Subject

(the Person)

Data Controller

(LOL)

Data Processor(Vendor)

Internal Use

Other Considerations

• EU - US• Access = Transfer• Binding Corporate Rules

Cross-Border Transfer of Data

• Right of Access & Updates• Right of Erasure• Data Security

Technology

• Get Privacy involved early – GDPR requires documentation of how privacy is addressed

Privacy by Design

Confidential

Please contact Privacy with any questions or concerns regarding

GDPR compliance or whether GDPR applies to your project.

cnielsen@landolakes.com orprivacy@landolakes.com

Internal Use