Coming in May 2018, the EU will institute its landmark data privacy legislation, the General Data Protection Regulation (GDPR) – a piece of legislation that seeks to protect the personal data of EU citizens by regulating how organizations collect, store and process that data.
Unlike the Data Protection Directive adapted in 1995, which did not regulate companies based outside the EU, the GDPR is relevant to multinational companies that may be headquartered in the U.S., U.S. companies that have direct business operations in the EU, and also to many U.S. companies that do not. In an online context, the GDPR will be relevant if:
• You have a strong internet presence in the EU (even if you do not sell directly into the EU)
• You are an e-commerce company that accepts EU currencies and/or has an EU domain suffix (such as .co.uk, .fr, .de, etc.)
• You have any EU visitors and you conduct personalization on your website.
What is the cost of non-compliance?
If any of the above criteria apply to your organization, you should carefully review your data handling practices, and determine whether the GDPR is likely to apply to your online activities because fines under the new regulation will be significant.
The GDPR introduces significant fines. For not reporting a breach to a regulator within 72 hours, fines are in the first tier of penalties — 2% of global revenue rather than the higher 4% that has received more press attention.
It’s still unclear how EU regulators would impose these penalties on U.S. companies, but the scale of the potential fines should mean that even U.S. companies should be taking the new rules seriously.
How can you become compliant?
Contrary to popular belief, compliance with the GDPR can be achieved simply and without a huge amount of resources. However, it’s not a straightforward check-box exercise and some of the steps may require input from multiple stakeholders within your organization.
For a more detailed guide to the new requirements, the U.K. regulator has published a summary of the GDPR (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/), which is a great starting point.
The GDPR will change the way companies interact with data — not just in the EU but around the world. U.S. brands, especially those with a strong internet presence, should be carefully reviewing their data handling practices, and determining whether the GDPR is likely to apply or not to their online activities. Any concerns should be discussed with counsel well in advance of the GDPR’s effective date in order to avoid the considerable fines under the new regulation.