The European Union’s (EU) General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. Viewable here [1] in all 24 official languages of the 28 member Union, the GDPR sets out a regulatory framework for the processing of personal data of persons within the EU.

Unlike some data privacy laws which regulate organizations within their territorial jurisdiction, or regulate the data of their citizens, the GDPR covers nearly any personal data gathered on persons physically in the Union, regardless of citizenship status or geographic location of the organization. This broad reach will place many American organizations under the regulatory hand of the European Union.

GDRP Scope

The privacy regulation implemented by the GDPR covers personal data (which can be name, address, location data, financial information, health information, cultural information, and more) of persons physically located in the European Union when that data was generated or acquired. Organizations that collect this data directly, or process this data for other organizations are governed by the GDPR.

Article 3 of the GDPR is titled “Territorial Scope.” The scope of the regulation is not limited to the territory of an organization, but the territory of the data subject. Specifically, Article 3 states:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behavior as far as their behavior takes place within the Union.

Put plainly, if your organization has any personal data of a person in the EU, or gathered from a person while they were in the EU, your organization is within the scope of the GDPR.

GDPR Requirements

The lengthy regulation is supplemented by many articles from the “Article 29 Working Party” outlining how the regulation should be interpreted and enforced. The changes your organization will need to implement will depend on a variety of factors including the type and amount of data for which your organization is responsible. The GDPR carries strict data breach notification requirements, security requirements, and consent requirements. In the United States, people generally do not have the right to access data which companies hold, even when that data pertains to them. The GDPR gives persons the right to view, withdraw consent, and even order organizations to delete information on them within certain constraints. Setting up the organizational methods to deal with such requests will be a necessity for many American companies.

GDPR Penalties Against US Companies

Penalties for non-compliance with the GDPR can be severe. The GDPR permits fines up to 20 million Euros or 4% of annual global revenues, whichever is higher. Many US companies might prudently wonder how an EU member state could levy a fine against them. The GDPR contemplates several ways an EU member state may sanction a noncompliant organization. First, if the American company has established a location in the EU then they can be sanctioned directly. Second, some companies that process a significant amount of EU data must designate a representative located in an EU member state to work with the regulators to ensure compliance and to accept sanctions from the regulators on behalf of the company. Finally, we can look back to Article 3 to see the GDPR asserts its authority over “a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” As the GDPR is not in force it is not clear to what extent an EU member state would leverage an international treaty with the US, or an agreement with the FTC to enforce its regulation on a company located exclusively in the US without a designated representative in the EU, but they clearly are claiming the right to do so.

Time to Start

It is an old adage that the best time to plant an Oak tree is 50 years ago, but the second-best time to plant one is today. While many organizations began planning their GDPR compliance programs over a year ago, organizations who are just now getting started can significantly reduce their risk by acting now. View the European Commission’s Data Privacy Infographic [2] in order to get a brief overview of what compliance could look like for your organization. Contact trusted data privacy experts to perform a GDPR assessment to see if your organization’s practices fall under the extensive authority of the GDPR, and what steps you can be taking to ensure compliance on May 25, 2018.