The proposed EU General Data Protection Regulation will cover entities regardless of their physical presence or scope of operations within the EU even if all they do is sell products in the EU. This means that many US companies are about to experience new regulatory oversight.
To get ready, US-based companies, as well as companies that only have US entities, should focus on the following:
- Data collection and storage practices: You must understand the scope of your EU operations, including the type of data you collect from the EU, what you do with that data, whether you need all the data that you collect and process, and how long you retain that data.
- Current scope of EU regulatory compliance: Examine what you have done to date with regard to regulatory compliance – e.g., where applicable, the extent of your compliance with data collection and data transfer requirements and whether you have taken steps to adopt a plan providing acceptable compliance by Q4 2017.
- Privacy by design: If privacy by design principles are not already embedded in your company’s processes, then evaluate how to revise processes company-wide to make these principles operational.
And, given the EU’s high proposed fines, it is vital to remain aware of the progress of the EU Regulation’s implementation to ensure you timely make any necessary changes to mitigate risk.