GDPR Compliance Task Force

Follow our three-question flowchart to see if GDPR applies to you.

Follow our five-step flowchart below to see if you need to designate a DPO:

A major change with the GDPR is that data processors now have direct legal obligations under EU privacy law. This is a significant shift from the current EU Directive which only directly obligates the data controllers. Non-compliant data processors face significant fines of up to 4% of global annual turnover or 20,000,000 euros, whichever is higher and may be directly liable to individuals for damages.

If the GDPR applies to you, review our checklist below summarizing the data processor’s obligations:

Any entity processing personal data on your behalf (i.e., your vendors) must have a written contract in place. The GDPR requires specific language in your vendor contracts. 

U.S. companies already face a panoply of data breach notification laws enacted by 48 States and numerous regulators. Those subject to the GDPR may soon have yet another breach notification requirement to worry about.

Follow our chart below to determine if and when you must provide notice, who you must notify, and what your notice should include.

This text leaves open plenty of questions. However, on October 3, 2017, the Article 29 Working Party issued guidelines interpreting these data breach notification requirements. Here are some of the answers:

The GDPR provides enhanced rights for individuals. Below we summarize the general principles companies must follow when interacting with individuals and we identify the specific rights granted to individuals under the GDPR. We also suggest some practical steps to assist your company’s compliance with this portion of the GDPR.

If your company is a controller or processor under the GDPR (for US companies, review this flowchart), then your company must comply with the GDPR’s requirements regarding the transfer of personal data of EU individuals to any country outside of the EU/EEA.

In the absence of an adequacy decision (explained below) and subject to very limited exceptions, controllers and processors are required to ensure that an “appropriate safeguard” or another GDPR-approved mechanism is in place before sending personal data of EU individuals outside of the EU/EEA.

The table below describes the mechanisms commonly used to lawfully transfer personal data of EU individuals outside of the EU/EEA. A full list of the transfer mechanisms can be found in Article 46.

If your company is a data controller under the GDPR (for US companies, follow this flowchart), then your company will need to update its privacy policy or privacy notice. Under the GDPR privacy policies must contain more detailed disclosures, while also being understandable and accessible. Even under the current privacy laws, EU regulators have demonstrated they will enforce rules on transparency in privacy disclosures. On February 16, 2018, a Belgian court threatened to fine Facebook US $125 million for failure to disclose its personal data collection practices. These fines may be steeper after May 25th since the GDPR increases the maximum penalties.

Brexit, an Unprecedented Event

Whether Brexit takes place on 29 March 2019 or is effectively deferred until the end of a transitional period (31 December 2020) the UK will likely adopt data protection legislation which largely tracks the GDPR. There is no precedent for Brexit and it is impossible for companies to foresee every scenario that may arise and the impact it may have on data protection law in the UK. Companies which process the personal data of citizens of the UK or have operations in the UK will need to keep a close watch on the law over the coming months.

At this point, it is no secret that many US companies will be subject to the GDPR. Under the GDPR, EU regulators will have the authority to punish noncompliance by imposing hefty fines, issuing injunctions, assessing bans on processing, and suspending international data transfers.
The practical impact of such enforcement measures is the ability to devastate a product, service, or business.
Many US companies may still be wondering:

We live in a new world of EU privacy rules shaking US businesses. As of 10 months ago, many of you had not heard about the GDPR when we explained how the GDPR applies to US companies. By now your company may be on its way to GDPR compliance (but beware: see takeaway #3 below).

For those of us who have been immersed in GDPR compliance projects over the last year, it was refreshing to hear so many of our colleagues, family members and news outlets around the world pay attention to the GDPR on May 25th. But we also heard a lot of misunderstandings about the GDPR. Here are our five takeaways from the past year: