The European Parliament and the Council of the European Union have approved the General Data Protection Regulation (“GDPR”) (Regulation 2016/679), which will replace the Data Protection Directive (Directive 95/46/EC) effective May 28, 2018. GDPR affects companies that use or process personal data in the European Union (“EU”), as well as companies residing outside of the EU that process data of EU citizens or residents (which may include U.S. citizens) pursuant to the offering of goods and services to such individuals or the monitoring of their behavior. GDPR could affect U.S. plan administrators of pension, welfare, equity, and other deferred compensation programs if offering such benefits is deemed to be in connection with the offering of services and participants include EU citizens or residents. Non-EU companies subject to the new regulation must appoint a representative in the EU to respond to EU regulator inquiries and, presumably, to receive penalty assessments for any compliance lapses. U.S. companies that are subject to the regulation and handle personal data of EU individuals should assess their current state of compliance and evaluate whether additional measures are needed to comply with the new regulation.
The GDPR is available here.