Written by Aaron Schildhaus
On May 25, 2018, US Companies that do business in Europe will be subject to the General Data Protection Regulation (GDRP).
This new law applies throughout the EU (including the UK). Its broad provisions regarding extraterritoriality and global data access, treatment and transmission means that all US and foreign companies which have business relationships and contacts with any EU member state will be affected, directly or indirectly.
If your company shares personal data with any of its subsidiaries, affiliates or other third parties in Europe, or if it processes personal data of European individuals in the US or elsewhere, or if it is contemplating such action, it should be aware that violations of the new law can result in penalties of up to the greater of 20 million Euros, or 4% of gross annual revenues.
Even if your company was in compliance with the 1995 Privacy Directive, you need to tailor your compliance methodology whether Binding Corporate Rules, Standard Contractual Clauses or the Privacy Shield Framework for conformity with the heightened requirements under the GDPR. Many companies are now treating compliance with the GDPR as “best practices” for global privacy compliance.
Very stringent controls are being placed on the gathering, use and treatment of all personal data, and a number of additional protections for individuals are built into this new Europe-wide law. Companies must report any breaches of data security within 72 hours of discovery. Some companies will need to appoint data protection officers (DPO’s). All companies will need to be prepared for the GDPR, so if your company has not yet done so, it is important to begin your preparation immediately.
“This alert does not constitute legal advice. If you have any questions, contact Aaron Schildhaus at [email protected] or (312) 897-1484.”
