Executive Summary: Companies with people in the EU or doing business in the EU need to be thinking about the EU’s General Data Protection Regulations (GDPR) and whether the regulations apply to them. In approximately two months, the EU’s GDPR will take effect. The deadline for complying with this considerable change in law is May 25, 2018. If your company is covered by the GDPR, it is urgent that you pay attention to the new requirements, considering the monumental size of potential penalties for failing to comply.
As we mentioned in our last update, available here, the GDPR significantly expand the jurisdiction of the EU’s data privacy regulatory framework to companies processing or controlling the personal data of employees or other individuals residing in the EU — regardless of the company’s location.
The GDPR cover companies if they fall under one (or more) of the following three tests:
- the “establishment test” – applies where processing takes place in the context of activities of an establishment in the EU, regardless of whether the processing takes place in the EU. The term “establishment” is not strictly defined;
- the “goods and services test” – applies to the processing of personal data of individuals who are in the EU by entities not established in the EU, where processing relates to the offering of goods and services; or
- the “monitoring test” – applies to the processing of personal data of individuals who are in the EU by an entity not established in the EU, where processing relates to the monitoring of their behavior within the EU.
A company could also technically be subject to the GDPR if the company is not established in the EU, but is subject to the laws of the EU by virtue of public international law. Such circumstances are rare.
Among other heightened requirements and obligations, if a company is covered under the GDPR:
- It will be subject to stricter rules on obtaining employee consent to process and share personal data.
- It may have to appoint a data protection officer.
- Its employees will have greater rights with respect to access and control of their personal data.
- It will be subject to stricter record keeping requirements.
- It must comply with stricter and enhanced reporting obligations to the data protection authority(ies).
- It could be subject to significant penalties for committing a breach, including up to 4 percent of annual global revenues or €20 million (whichever is greater).
Various EU member states are also in the process of adjusting and updating their applicable data privacy and protection rules to comply with the GDPR. Thus, it will also be important for companies who do business in the EU or involving EU-based individuals to make sure that they remain in compliance with applicable local guidelines on data privacy and protection.
The Bottom Line: There is still limited time for impacted companies to bring themselves into compliance with the applicable requirements, but May 2018 is right around the corner. Companies covered by these regulations should not delay in becoming familiar with them. Failure to do so could expose the company to significant penalties, including the greater of 4 percent of global revenue or €20 million.