May 24 2018

The EU’s General Data Protection Regulation goes into effect on May 25, 2018. GDPR replaces the EU Data Protection Directive. GDPR can apply to US-based businesses even if they do not have offices or employees in the EU. It can also reach activities conducted outside the EU.

The directive did not regulate US businesses unless the collection or processing occurred within the EU (e.g., if a US-based company had a data center in the EU). Now GDPR clearly has stronger extraterritorial reach than its predecessor.

Businesses collecting and using personal data should know their GDPR obligations. Violators of GDPR face steep penalties. Regulators can fine a company up to 20,000,000 euros or 4% of worldwide annual turnover, whichever is higher.

Does GDPR Apply to Your Company?

Follow our three-question flowchart to see if GDPR applies to you.

Does GDPR Apply Flow Chart

 

For a pdf version of this alert, click here.

Are You Required To Designate a Data Protection Officer?

Follow our five-step flowchart below to see if you need to designate a DPO:

GDPR Designate DPO

For a pdf version of this alert, click here.

Data Processor GDPR Checklist

A major change with the GDPR is that data processors now have direct legal obligations under EU privacy law. This is a significant shift from the current EU Directive which only directly obligates the data controllers. Non-compliant data processors face significant fines of up to 4% of global annual turnover or 20,000,000 euros, whichever is higher and may be directly liable to individuals for damages.

If the GDPR applies to you, review our checklist below summarizing the data processor’s obligations:

GDPR Checklist

For a pdf version of this alert, click here.

Do Your Vendor Contracts Comply with GDPR?

Any entity processing personal data on your behalf (i.e., your vendors) must have a written contract in place. The GDPR requires specific language in your vendor contracts. 

GDPR Vendor checklist

For a pdf version of this alert, click here.

GDPR Breach Notification Checklist

U.S. companies already face a panoply of data breach notification laws enacted by 48 States and numerous regulators. Those subject to the GDPR may soon have yet another breach notification requirement to worry about.

Follow our chart below to determine if and when you must provide notice, who you must notify, and what your notice should include.

GDPR Breach Notification Table 1

This text leaves open plenty of questions. However, on October 3, 2017, the Article 29 Working Party issued guidelines interpreting these data breach notification requirements. Here are some of the answers:

GDPR Breach Notification Table 2

For a pdf version of this alert, click here.

Rights of Individuals Under the GDPR

The GDPR provides enhanced rights for individuals. Below we summarize the general principles companies must follow when interacting with individuals and we identify the specific rights granted to individuals under the GDPR. We also suggest some practical steps to assist your company’s compliance with this portion of the GDPR.

GDPR_General_Principles_5mo

GDPR_Individual_Rights_5mo

GDPR_Practical_Steps_5mo

For a pdf version of this alert, click here.

GDPR and Cross-Border Data Transfers

If your company is a controller or processor under the GDPR (for US companies, review this flowchart), then your company must comply with the GDPR’s requirements regarding the transfer of personal data of EU individuals to any country outside of the EU/EEA.

In the absence of an adequacy decision (explained below) and subject to very limited exceptions, controllers and processors are required to ensure that an “appropriate safeguard” or another GDPR-approved mechanism is in place before sending personal data of EU individuals outside of the EU/EEA.

The table below describes the mechanisms commonly used to lawfully transfer personal data of EU individuals outside of the EU/EEA. A full list of the transfer mechanisms can be found in Article 46.

GDPR_FlagsWeb.png

 

 GDPR_Table_Jan2018_4mo

 

For a pdf version of this alert, click here.

GDPR Privacy Policy Checklist

If your company is a data controller under the GDPR (for US companies, follow this flowchart), then your company will need to update its privacy policy or privacy notice. Under the GDPR privacy policies must contain more detailed disclosures, while also being understandable and accessible. Even under the current privacy laws, EU regulators have demonstrated they will enforce rules on transparency in privacy disclosures. On February 16, 2018, a Belgian court threatened to fine Facebook US $125 million for failure to disclose its personal data collection practices. These fines may be steeper after May 25th since the GDPR increases the maximum penalties.

 

GDPR Privacy Checklist

For a pdf version of this alert, click here.

How Will Brexit Affect Data Privacy Law & the GDPR in the UK?

Brexit, an Unprecedented Event


Whether Brexit takes place on 29 March 2019 or is effectively deferred until the end of a transitional period (31 December 2020) the UK will likely adopt data protection legislation which largely tracks the GDPR. There is no precedent for Brexit and it is impossible for companies to foresee every scenario that may arise and the impact it may have on data protection law in the UK. Companies which process the personal data of citizens of the UK or have operations in the UK will need to keep a close watch on the law over the coming months.

How will Brexit Affect Data Privacy Law

For a pdf version of this alert, click here.

Enforcing the GDPR on US Companies

At this point, it is no secret that many US companies will be subject to the GDPR. Under the GDPR, EU regulators will have the authority to punish noncompliance by imposing hefty fines, issuing injunctions, assessing bans on processing, and suspending international data transfers.
The practical impact of such enforcement measures is the ability to devastate a product, service, or business.
Many US companies may still be wondering:

Enforcing the GDPR on US companies

For a pdf version of this alert, click here.

Our Data Privacy and CyberSecurity Team, along with our international network, including our combination with Womble Bond Dickinson (UK) LLP and relationship Lex Mundi member firms, is available to assist and advise clients in efficiently addressing GDPR-related issues.