The EU’s General Data Protection Regulation went into effect on May 25, 2018. GDPR replaced the EU Data Protection Directive. GDPR can apply to US-based businesses even if they do not have offices or employees in the EU. It can also reach activities conducted outside the EU.
The directive did not regulate US businesses unless the collection or processing occurred within the EU (e.g., if a US-based company had a data center in the EU). Now GDPR clearly has stronger extraterritorial reach than its predecessor.
Businesses collecting and using personal data should know their GDPR obligations. Violators of GDPR face steep penalties. Regulators can fine a company up to 20,000,000 euros or 4% of worldwide annual turnover, whichever is higher.
Does GDPR Apply to Your Company?
Follow our three-question flowchart to see if GDPR applies to you.
Are You Required To Designate a Data Protection Officer?
Follow our five-step flowchart below to see if you need to designate a DPO:
Data Processor GDPR Checklist
A major change with the GDPR is that data processors now have direct legal obligations under EU privacy law. This is a significant shift from the current EU Directive which only directly obligates the data controllers. Non-compliant data processors face significant fines of up to 4% of global annual turnover or 20,000,000 euros, whichever is higher and may be directly liable to individuals for damages.
If the GDPR applies to you, review our checklist below summarizing the data processor’s obligations:
Do Your Vendor Contracts Comply with GDPR?
Any entity processing personal data on your behalf (i.e., your vendors) must have a written contract in place. The GDPR requires specific language in your vendor contracts.
GDPR Breach Notification Checklist
U.S. companies already face a panoply of data breach notification laws enacted by 48 States and numerous regulators. Those subject to the GDPR may soon have yet another breach notification requirement to worry about.
Follow our chart below to determine if and when you must provide notice, who you must notify, and what your notice should include.
This text leaves open plenty of questions. However, on October 3, 2017, the Article 29 Working Party issued guidelines interpreting these data breach notification requirements. Here are some of the answers:
Rights of Individuals Under the GDPR
The GDPR provides enhanced rights for individuals. Below we summarize the general principles companies must follow when interacting with individuals and we identify the specific rights granted to individuals under the GDPR. We also suggest some practical steps to assist your company’s compliance with this portion of the GDPR.
GDPR and Cross-Border Data Transfers
If your company is a controller or processor under the GDPR (for US companies, review this flowchart), then your company must comply with the GDPR’s requirements regarding the transfer of personal data of EU individuals to any country outside of the EU/EEA.
In the absence of an adequacy decision (explained below) and subject to very limited exceptions, controllers and processors are required to ensure that an “appropriate safeguard” or another GDPR-approved mechanism is in place before sending personal data of EU individuals outside of the EU/EEA.
The table below describes the mechanisms commonly used to lawfully transfer personal data of EU individuals outside of the EU/EEA. A full list of the transfer mechanisms can be found in Article 46.
GDPR Privacy Policy Checklist
If your company is a data controller under the GDPR (for US companies, follow this flowchart), then your company will need to update its privacy policy or privacy notice. Under the GDPR privacy policies must contain more detailed disclosures, while also being understandable and accessible. Even under the current privacy laws, EU regulators have demonstrated they will enforce rules on transparency in privacy disclosures. On February 16, 2018, a Belgian court threatened to fine Facebook US $125 million for failure to disclose its personal data collection practices. These fines may be steeper after May 25th since the GDPR increases the maximum penalties.
How Will Brexit Affect Data Privacy Law & the GDPR in the UK?
Brexit, an Unprecedented Event
Whether Brexit takes place on 29 March 2019 or is effectively deferred until the end of a transitional period (31 December 2020) the UK will likely adopt data protection legislation which largely tracks the GDPR. There is no precedent for Brexit and it is impossible for companies to foresee every scenario that may arise and the impact it may have on data protection law in the UK. Companies which process the personal data of citizens of the UK or have operations in the UK will need to keep a close watch on the law over the coming months.
Enforcing the GDPR on US Companies
At this point, it is no secret that many US companies will be subject to the GDPR. Under the GDPR, EU regulators will have the authority to punish noncompliance by imposing hefty fines, issuing injunctions, assessing bans on processing, and suspending international data transfers.
The practical impact of such enforcement measures is the ability to devastate a product, service, or business.
Many US companies may still be wondering:
Top 5 Takeaways on the GDPR
We live in a new world of EU privacy rules shaking US businesses. As of 10 months ago, many of you had not heard about the GDPR when we explained how the GDPR applies to US companies. By now your company may be on its way to GDPR compliance (but beware: see takeaway #3 below).
For those of us who have been immersed in GDPR compliance projects over the last year, it was refreshing to hear so many of our colleagues, family members and news outlets around the world pay attention to the GDPR on May 25th. But we also heard a lot of misunderstandings about the GDPR. Here are our five takeaways from the past year:
Our Data Privacy and CyberSecurity Team, along with our international network, including our combination with Womble Bond Dickinson (UK) LLP and relationship Lex Mundi member firms, is available to assist and advise clients in efficiently addressing GDPR-related issues.