On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) goes into effect. The GDPR was adopted in April 2016, and designed to protect the privacy rights of EU individuals through enhanced personal data protection. The GDPR sets new obligations and expectations regarding personal data. A key principle of the new regulation is that the ownership of personal data remains with the individual and not with companies. The rules don’t just affect the EU, but applies to all firms processing or controlling the personal information of EU residents, regardless of where those companies are located. The GDPR applies to all online interactions with EU citizens, no matter where the business is taking place.

US firms should be working on implementing the necessary technologies, policies, and procedures to ensure compliance by May. Depending on the size of the firm, these changes can be expensive and daunting, as many companies will have to build new structures into their systems and databases. The regulations include enhanced requirements regarding consumer consent, 72-hour breach reporting, and the “right to be forgotten” – meaning the right to request removal of personal data that they have posted online in the past. The GDPR also requires companies to maintain extensive records of personal data. Firms will need to store this information and turn over these records when requested, otherwise they could be subject to steep penalties. Fines for violations can reach up to 20 million Euros or 4 percent of a firm’s global annual revenue, per violation, whichever is larger. The GDPR governing body will have a lot of freedom in assessing fines for data breaches and non-compliance, as the GDPR leaves much to interpretation.