Ready or Not...the GDPR Effective Date is Here
Now that May 25th, the long awaited effective date of the European Union ("EU") General Data Protection Regulation (Regulation 2016/679) ("GDPR"), has arrived, many companies are realizing that they have more work to do to become fully compliant with its far ranging and complex requirements. According to one report, 52% of companies expect to be compliant as of the GDPR's effective date, 40% expect to be compliant after the effective date, and 8% do not know when they will achieve compliance.i Despite the large percentage of companies that will not be fully compliant, EU data protection authorities have made it clear that there will be no grace period. As Helen Dixon, Ireland's Data Protection Commissioner, acknowledged to Bloomberg Law, however, "if companies get the basics right in the GDPR, they are off to a good start."ii For companies that are not fully compliant, it is not too late to take steps to achieve compliance. Here are a few key areas of focus for every company:
First, determine whether the GDPR applies to your company. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU. While many U.S. companies do not have an establishment in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: 1) offering goods or services to such data subjects in the EU (regardless of payment from the data subject) or 2) monitoring the behavior of the data subjects if the behavior takes place in the EU. Second, identify the types of data processing activities that your company undertakes that may trigger the GDPR. Companies must understand how they are collecting and processing personal data in order to demonstrate compliance. Third, companies must ascertain and be transparent with data subjects about their processing activities. Finally, companies should focus on their ability to honor individual data subjects' rights, including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and rights related to automated decision making and profiling. Dixon noted that when organizations fail to honor the enumerated rights that the GDPR gives every data subject, higher fines should be expected.
Verrill Dana has been counseling U.S. companies on EU data protection laws (including the EU Data Protection Directive, which preceded the GDPR) for many years, and we are currently assisting various clients with their GDPR compliance efforts. Now that the effective date has arrived, it is important that companies do not delay their efforts toward GDPR compliance. Please feel free to contact one of our GDPR attorneys to assist your company with any remaining work your company needs to undertake to become fully compliant and avoid the specter of stiff penalties under the GDPR (up to $20 million EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher).
i "The Race to GDPR: A Study of Companies in the United States & Europe." McDermott Will & Emery LLP and Ponemon Institute LLC, Apr. 2018. Available at https://iapp.org/media/pdf/resource_center/Ponemon_race-to-gdpr.pdf.
ii Dixon, Helen, and Daniel R. Stoller. "EU Officials: Stick to Basics to Prep for New Privacy Regime." Bloomberg BNA Privacy & Security Law Report, 2 Apr. 2018. Bloomberg Law, Accessed 24 May 2018.
This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.