It’s May 25th, which means the General Data Protection Regulation (GDPR) is now in effect. The GDPR is Europe’s new comprehensive privacy regulation that completely overhauls the privacy landscape both in Europe and worldwide. The regulation has two notable aspects, among others, that distinguish it from prior European privacy laws:

  • The GDPR potentially applies to companies outside of Europe, and the bar for application is low – collecting data from users in the EU on a U.S. website could trigger the regulation; and
  • Regulators can fine companies up to €20 million or 4% of their global annual sales, whichever is greater.

Although privacy professionals have had May 25th circled in bright red on their calendars for over two years, companies are now scrambling to get compliant. The GDPR requires much more than a privacy policy face lift, although you couldn’t be faulted for thinking otherwise given the overflow of policy updates this week. Among other things, the GDPR requires companies to:

  • Determine if they are a controller or processor;
  • Map out the personal data they collect and identify their legal bases for processing the data;
  • Get opt-in consent from their users for marketing emails and online behavioral advertising;
  • Update vendor and customer agreements to include GDPR-specific terms;
  • Give their users the ability to access, rectify, and erase their personal data as well as exercise other rights;
  • Appoint a data protection officer and/or EU representative;
  • Conduct data protection impact assessments;
  • Implement appropriate data security measures and notify regulators of data breaches within 72 hours; and
  • Keep detailed records of their ongoing compliance.

There is no quick fix for complying with the GDPR. If you are not already working toward compliance, you should strongly evaluate the applicability of the regulation to you. On our side, we will continue to monitor for new guidance and potential enforcement of the regulation. Stay tuned.

{ The General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens. The regulation came into force on 24 May 2016 and will apply from 25 May 2018.