On May 25, 2018, the European Union’s new General Data Protection
Regulation (GDPR), containing many stringent requirements relating to
collecting and processing the personal data of EU residents, goes into
effect. U.S.-based companies that do business with E.U.-based customers,
or that deal with the data of EU residents face will harsh penalties (including
fines of up to 4% of a company’s annual global turnover or €20
million, whichever is higher) for non-compliance with the GDPR’s
new requirements.
Aspects of the GDPR’s new requirements include:
Explicit Consent: The GDPR requires that individuals must have given their freely given,
specific and informed consent through an unambiguous indication signifying
agreement in order for a company to process their personal data, and that
that consent may be withdrawn in a manner as easily as it was given.
Right to Data: The GDPR gives individuals a right to receive confirmation from companies
regarding whether or not their personal data is being processed, where,
and for what purpose. Copies of the individuals’ data in electronic
format must be provided free of charge.
Reporting of Security Breaches: The GDPR imposes mandatory reporting of security breaches to appropriate
regulators and everyone affected by a breach in certain circumstances
without undue delay, and, where feasible, within 72 hours after a business
first becoming aware of a breach.
Data Protection by Design: The GDPR requires businesses to incorporate principles of data protection
by design, including Data Protection Impact Assessments for new uses of
personal data where the risk to individuals is high.
Right to be Forgotten: The GDPR entitles individuals to have data controllers erase their personal
data, and cease processing and further dissemination of their data.
Data Protection Officers: The GDPR require certain businesses to appoint a Data Protection Officer
to oversee their data processing operations in certain circumstances.
Worldwide Application: The GDPR will apply to foreign businesses, regardless of their location,
that process the personal data of EU residents.
Although the extent to which the GDPR will be applied and enforced against
U.S. companies is somewhat uncertain, any company that regularly markets
goods or services in the E.U. or that processes personal data of E.U.
residents (either on its own behalf or on behalf of others) would be well-advised
to confirm that its systems and documentation are in compliance with the
GDPR’s new requirements.