Paul C. VanSlyke, Senior Counsel at Hoover Slovacek LLP
Call Today For A Consultation

European Union Data Privacy Law Requires Urgent Compliance by U.S. Companies

The European Union General Data Protection Regulation (GDPR) will become law on May 25, 2018 that is rapidly approaching with multi-billion dollar penalties for violation. It will require significant change to websites of U.S. companies and how they may collect and use personal data derived in Europe. This includes U.S. companies that have operations or vendors in Europe and transmit personal data from employees and vendors to the U.S. for processing and reporting. The penalties for GDPR violations are up to the greater of 4% of the company's global revenue or 20 million Euros are substantial. Now is the time for executives of U.S. companies to take prompt actions to comply before it is too late.

The GDPR Covers More Types of Sensitive Data Than in the USA

Almost all the United States breach notification laws apply only to defined categories of unique, personally identifying information ("PII") such as Social Security Numbers, driver's license numbers, health information, or financial account numbers.

The GDPR breach notification provision has a far broader scope than U.S. law requires. It potentially applies to any data breach that involves "personal data." That term is defined as including any information relating to an identified or identifiable person. Theoretically a loss of personal data as innocuous as a list of names, home addresses or internet addresses could trigger a notification obligation in Europe. Such a breach would rarely if ever trigger a notification obligation in the United States.

There is Still Time to Comply

There's still time to comply. Initial preparations include the following:

  • Assessing personal data processing, storage, use, and disclosure
  • Determining how the GDRP affects your website
  • Reviewing consents from data subjects
  • Identifying international data flows
  • Reviewing and updating security and response procedures
  • Determining whether a data protection officer (DPO) should be appointed
  • Reviewing agreements with vendors and data processors
  • Determining the interrelationship between the GDRP requirements and direct marketing, profiling and advertising
  • Conducting a privacy impact assessment by counsel so that it will be privileged and not accessible by European enforcement agencies.

After these initial preparations have been made, most companies will be ready when the GDPR takes effect May 25, 2018 and can avoid the penalty of up to the greater of 4% of the company's global revenue or 20 million Euros.

No Comments

Leave a comment
Comment Information

How Can We Help?

Bold labels are required.

Contact Information

The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.


Privacy Policy

Contact Us

Houston Office
5051 Westheimer Road
Suite 1200, Galleria Tower 2
Houston, TX 77056

Phone: 713-714-2189
Fax: 713-458-4829
Houston Law Office Map

Austin Office
By Appointment
823 Congress Avenue
Suite 620
Austin, TX 78701

Phone: 713-714-2189
Map & Directions

Phone Number
Fax Number
  • RATED BY | Super Lawyers | Paul C. Van Slyke
  • Martindale-Hubbell | AV PREEMINENT
  • Avvo Rating | 10.0 | Paul C. Van Slyke | Top Attorney
  • Best Lawyers
  • WTR | 1000