Compliance with the EU's GDPR

On May 25, 2018, the European Union’s new General Data Protection Regulation (GDPR), containing many stringent requirements relating to collecting and processing the personal data of EU residents, goes into effect. U.S.-based companies that do business with E.U.-based customers, or that deal with the data of EU residents face will harsh penalties (including fines of up to 4% of a company’s annual global turnover or €20 million, whichever is higher) for non-compliance with the GDPR’s new requirements.

Aspects of the GDPR’s new requirements include:

Explicit Consent: The GDPR requires that individuals must have given their freely given, specific and informed consent through an unambiguous indication signifying agreement in order for a company to process their personal data, and that that consent may be withdrawn in a manner as easily as it was given.

Right to Data: The GDPR gives individuals a right to receive confirmation from companies regarding whether or not their personal data is being processed, where, and for what purpose. Copies of the individuals’ data in electronic format must be provided free of charge.

Reporting of Security Breaches: The GDPR imposes mandatory reporting of security breaches to appropriate regulators and everyone affected by a breach in certain circumstances without undue delay, and, where feasible, within 72 hours after a business first becoming aware of a breach.

Data Protection by Design: The GDPR requires businesses to incorporate principles of data protection by design, including Data Protection Impact Assessments for new uses of personal data where the risk to individuals is high.

Right to be Forgotten: The GDPR entitles individuals to have data controllers erase their personal data, and cease processing and further dissemination of their data.

Data Protection Officers: The GDPR require certain businesses to appoint a Data Protection Officer to oversee their data processing operations in certain circumstances.

Worldwide Application: The GDPR will apply to foreign businesses, regardless of their location, that process the personal data of EU residents.

Although the extent to which the GDPR will be applied and enforced against U.S. companies is somewhat uncertain, any company that regularly markets goods or services in the E.U. or that processes personal data of E.U. residents (either on its own behalf or on behalf of others) would be well-advised to confirm that its systems and documentation are in compliance with the GDPR’s new requirements.