The European Union General Data Protection Regulation (GDPR) will become law on May 25, 2018 that is rapidly approaching with multi-billion dollar penalties for violation. It will require significant change to websites of U.S. companies and how they may collect and use personal data derived in Europe. This includes U.S. companies that have operations or vendors in Europe and transmit personal data from employees and vendors to the U.S. for processing and reporting. The penalties for GDPR violations are up to the greater of 4% of the company's global revenue or 20 million Euros are substantial. Now is the time for executives of U.S. companies to take prompt actions to comply before it is too late.
The GDPR Covers More Types of Sensitive Data Than in the USA
Almost all the United States breach notification laws apply only to defined categories of unique, personally identifying information ("PII") such as Social Security Numbers, driver's license numbers, health information, or financial account numbers.
The GDPR breach notification provision has a far broader scope than U.S. law requires. It potentially applies to any data breach that involves "personal data." That term is defined as including any information relating to an identified or identifiable person. Theoretically a loss of personal data as innocuous as a list of names, home addresses or internet addresses could trigger a notification obligation in Europe. Such a breach would rarely if ever trigger a notification obligation in the United States.
There is Still Time to Comply
There's still time to comply. Initial preparations include the following:
- Assessing personal data processing, storage, use, and disclosure
- Determining how the GDRP affects your website
- Reviewing consents from data subjects
- Identifying international data flows
- Reviewing and updating security and response procedures
- Determining whether a data protection officer (DPO) should be appointed
- Reviewing agreements with vendors and data processors
- Determining the interrelationship between the GDRP requirements and direct marketing, profiling and advertising
- Conducting a privacy impact assessment by counsel so that it will be privileged and not accessible by European enforcement agencies.
After these initial preparations have been made, most companies will be ready when the GDPR takes effect May 25, 2018 and can avoid the penalty of up to the greater of 4% of the company's global revenue or 20 million Euros.