Media Center

GDPR is Coming: Is Your Business Ready?

May 31, 2017

By Thomas S. Markey

Even if your company primarily operates in the U.S., the European Union’s General Data Protection Regulation (GDPR)—which will take effect on May 25, 2018—may affect your organization.  Here are three facts that all businesses should know about the GDPR.

  1. GDPR May Regulate Your U.S.-based Business 
    By its terms, the GDPR regulates any business that collects, stores, or uses the personal data of EU residents.  This includes businesses that do not have a physical presence in the EU.  The GDPR’s aggressive extraterritorial reach marks a significant change in current law.Additionally, the GDPR provides a good indication of changes that may come to U.S. privacy laws.  For example, the New York legislature, inspired by the GDPR, recently proposed the Right to be Forgotten Act, which would, if enacted, provide individuals with the right to request that inaccurate or irrelevant information about them be removed from the internet.  Because the GDPR will continue influencing privacy regulations across the globe, companies that comply with the GDPR will be prepared for future changes in U.S. legislation.
  2. GDPR Compliance Requires Advance Planning
    The GDPR imposes a host of affirmative obligations on businesses.  For example, organizations must appoint an executive-level Data Protection Officer; erase personal data upon request; and provide data breach notifications with 72 hours.  The GDPR also introduces new requirements for obtaining consent to process personal data.  Thus, ensuring compliance with the GDPR requires significant advance planning by an organization, and businesses that wait until the eve of the GDPR’s implementation risk running afoul of EU regulators.
  3. Fines for Non-Compliance May Exceed 20 Million Euros
    For businesses that fail to comply with the GDPR, the maximum penalty is €20 million or 4% of a company’s worldwide revenue, whichever is greater. The GDPR therefore offers a strong incentive to ensure compliance.

With just under one year until the GDPR takes effect, companies must assess whether the GDPR applies to their business and take steps to ensure compliance.  The attorneys in McNees Wallace & Nurick LLC’s Privacy & Data Security practice group stand ready to answer your questions and offer guidance in navigating this new regulatory regime.

© 2017 McNees Wallace & Nurick LLC
McNees Privacy & Data Security Alert is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.