Is Your U.S. Company Ready for the EU General Data Protection Regulation?

AdobeStock_43574830.jpeg

Europeans, because of the continent’s history of fascist and totalitarian governments, have been more concerned about protection of their privacy and personal data than Americans. Although this may be changing as more and more Americans become victims of identity theft due to hacks of their financial information held by credit bureaus, banks, retailers and others.

However European law is way ahead of American law when it comes to protecting individual’s personal data. On May 25, 2018, the far-reaching EU General Data Protection Regulation (GDPR) comes into force.    

The GDPR applies to all organizations processing the personal data of individuals (“data subjects”) residing in the European Union, regardless of the organization’s location.  Even with Brexit, the UK will enforce the GDPR.    

If your company handles any data of EU citizens and residents, then you must comply with GDPR even if you have no physical operations in the EU. The fines for non-compliance are draconian – 20 Million Euros or 4% of a company’s worldwide gross annual revenue, whichever is greater.

There are many complex steps companies and other organizations controlling or processing personal data of EU citizens and residents need to take to comply with GDPR. Here are some highlights.

  • Organizations must allow individuals to provide consent and be able to withdraw consent for the handling of their personal data. This consent process must be easy for the individuals to use.
     
  • There is a mandatory breach notification process with short time frames for reporting.           
     
  • Data subjects have the right to obtain confirmation as to whether personal data concerning them is being processed, where and for what purpose. They have the right to receive a copy of the personal data, free of charge, in an electronic format.
     
  • Data subjects have a “right to be forgotten.”
     
  • GDPR requires data portability and privacy by design.
     
  • Data protection officers are required to be appointed in many organizations.

Compliance with GDPR is not optional if you handle personal data of EU citizens and residents.  The time to take compliance action is short.