The General Data Protection Regulation (GDPR) (Regulation 2016/69, Apr. 27, 2016) was formally published in the Official Journal of the European Union on May 4, 2016.[1]  The GDPR will be enforced beginning on May 25, 2018.[2]  Companies that collect data about European citizens have until that time to comply with the Regulation.  Due to the significant and burdensome requirements the GDPR imposes upon companies processing EU citizens’ personal data, preparations to comply with the GDPR will be time-consuming, particularly for businesses that rely heavily on the use of personal customer data. 

Who Does the GDPR Apply To?

The GDPR applies to any business, whether or not it is based in an EU country that processes the data of EU citizens.

My Organization is Based in the United States.  Can It Be Held Accountable for Noncompliance?

If your organization processes (that is, collects, stores, retrieves, uses, discloses, disseminates, or otherwise makes available, among other operations performed on data) personal data of EU citizens, your organization will be subject to the following remedies and liabilities, among others:

  • Fines of up to 4 percent of global revenue for the previous year, or €20 million (depending on which is greater), for a breach of the basic principles. 
  • Other infringements can result in a fine of up to the higher of €10 million or 2% of total annual worldwide turnover.
  • Complaints lodged by EU citizens with a supervisory authority in any Member State.
  • Compensation due to an EU citizen for the unlawful processing of the citizen’s personal data.
  • Penalties imposed by each EU member state for noncompliance.
  • Judicial proceedings before the courts of the Member State where your organization has an establishment.

My Organization Has a Privacy Policy.  Isn’t that Sufficient?

In order to comply with the GDPR, your organization must implement data protection measures and processes likely beyond those measures currently outlined in your privacy policy and potentially outside the scope of your current data privacy program.  In addition, because the GDPR requires certain representations in the privacy policy, revision of the policy is required. 

Due to these new requirements, GDPR compliance may necessitate operational reforms at your organization.  Therefore, the first step to reaching compliance is undertaking a detailed assessment of your organization’s current privacy practices and programs and identifying gaps in those processes. 

What New Processes Does the GDPR Require?

The GDPR grants EU citizens certain individual rights which require organizations to provide mechanisms through which individuals can exercise these rights. For example, the GDPR explicitly provides EU citizens:

  • The right to be forgotten;
  • The right to require their personal data be transported to a new service provider;
  • The right to object to decisions taken by automated processes.

The GDPR also requires organizations to:

  • Provide extensive information to individuals about the processing of their personal data.
  • Follow strict requirements for obtaining consent regarding the collection of personal data and cross-border data transfers.
  • Implement a comprehensive security program.
  • Implement processes to ensure that users, management and third parties confirm their understanding of the company’s privacy policy and procedures related to data protection.
  • Establish effective privacy audit and review processes.
  • Employ industry-standard encryption technologies.
  • Assign a designated individual who is responsible for security gap remediation, and certain organizations must hire, appoint, or contract a data protection officer.
  • Notify data protection authorities of personal data breaches within 72 hours.
  • Adopt measures to protect personal data by design and default.
  • Maintain detailed records of data processing activities.
  • Maintain documentation regarding the legal basis for cross-border data transfers.

What Steps Can My Organization Take Toward Compliance?

To become fully compliant with the Regulation, an organization must ensure that its privacy practices match its GDPR-compliant privacy policy and procedures.  An organization may begin the process toward becoming compliant by taking the following steps, among others:

  • Assessing the impact of the GDPR on your organization.
  • Developing a plan to address gaps.
  • Evaluating risks involved in transferring data to the United States.
  • Considering whether to adopt binding corporate rules or model clauses.
  • Reviewing vendor management policies and procedures.
  • Ensuring third party contracts comply with GDPR security and reporting requirements.
  • Updating internal and consumer-facing privacy policy and procedures.
  • Implementing the organizational structures and staffing necessary to execute GDPR-compliant procedures related to the processing of EU citizens’ data.

GDPR compliance requires an organization-specific assessment which should be conducted in consultation with legal counsel.  Additionally, this process will involve consultation with an organization’s information technology department or vendor, legal department, marketing department, and corporate leadership.  Investing in a privacy assessment and Regulation-compliant infrastructure now will place an organization in a position to avoid inquiries from EU regulators, complaints from EU citizens, and potentially costly sanctions.