Effective May 25, 2018, the enforcement provisions of the European Union’s General Data Protection Regulation (GDPR) take effect. Arguably, the GDPR is the most sweeping piece of data protection and privacy legislation to come into force.
This regulation applies both to companies located in the European Union (EU) that process personal data of its citizens and companies located outside the EU that process personal data of EU citizens under most conditions. As a result, regardless of location, companies should assume that the GDPR applies to their business if it uses or stores data from EU citizens.
While it is expected that all companies will comply with the provisions of the GDPR, there are exceptions to the most stringent requirements for companies with less than 250 employees. However, these exceptions are specific in nature and careful consideration must be given before a company decides whether these exceptions are applicable.
In terms of businesses in the United States, the United States Department of Commerce and European Commission has established a mechanism to allow for a self-certification process for transferring personal data from the EU to the United States.
The potential fines for not complying with GDPR are significant; maximum penalties are 4% of a company’s global revenue or 20 million euros, whichever amount is greater.
Importantly, even if a company utilizes third party vendors to process personal data from EU citizens, a company should ensure that the vendor is GDPR compliant. One may assume that if a vendor is not GDPR compliant your company is not GDPR compliant.