The far-reaching European General Data Protection Regulation (GDPR) takes effect on May 25, 2018. Yet, with only six weeks to go, many companies are still unaware that their businesses must comply with the GDPR or face large fines. The GDPR doesn’t just apply in the European Union; it can apply to companies both inside and outside the EU if they market goods or services to EU-based customers, or have any EU-based operations. The GDPR also covers all types of businesses, from technology companies to banks, manufacturers, and even online vendors. If your business touches the EU, and you deal with any data from people living in the EU, you need to evaluate your GDPR readiness. Here are a few questions to ask yourself about how the GDPR might apply to your business:

Does the GDPR apply to your company? The GDPR applies to U.S. and other Non-EU companies. For example, the GDPR could directly impact your business if any one of the following situations applies to your company:
  • You have any places of business in the EU; OR
  • You receive data from any European companies; OR
  • You sell products or services to customers in the European Union.

Are you aware of the possible penalties? The fines for GDPR violations can be massive, permitting the European privacy authority to levy fines of up to 4% of a company’s annual worldwide revenue, or €20 million (about $25 million), whichever is higher.

Has your company generated required GDPR compliance documentation? The GDPR requires organizations to affirmatively demonstrate compliance, for example, by creating publicly available GDPR-compliant privacy policies, and by generating detailed internal data inventories, audits, and data breach response plans. U.S. businesses can meet some of these obligations by joining the Privacy Shield program administered by the U.S. Department of Commerce. These obligations must be met before May 25, 2018, not after receiving a knock on the door from a regulatory agency.

Does your company have GDPR-ready Data Protection Agreements in place? The GDPR requires companies to have formal GDPR-compliant data processing agreements in place whenever sharing or transferring relevant personal data to vendors, clients, or partners. Are you using consultants, cloud services, or other vendors to assist in storing or managing personal data? If so, you need to make sure your company has a data protection agreement with your vendors.

Is your company prepared to enforce personal data rights? If you collect or receive personal information covered by the GDPR, including, for example, usernames or email addresses, you have certain obligations to the people behind that data. You should evaluate whether you are prepared to enforce the rights and legal requests of those people under the GDPR, including the rights to access, delete, or correct their data.

If you want to know more about the GDPR, or need help getting your business GDPR-ready by May 25, 2018, contact your attorney today—the deadline will be here before you know it.

April 18, 2018