A common misconception is that the EU’s General Data Protection Regulation (GDPR) applies only to businesses physically located in the EU. As you know from our previous article (“The Final Countdown To The GDPR Is Here. Are You Ready?”), the GDPR – which becomes officially effective one month from today on May 25, 2018 – is a radical overhaul of the EU’s regulatory scheme, and one of its most significant and substantial changes is its extra-territorial impact. Broadly speaking the GDPR applies to:
- EU-based businesses regardless of whether data is processed inside the EU or outside of the EU; and
- Businesses outside of the EU with respect to either the offering of goods or services to individuals in the EU or the monitoring of behavior of individuals in the EU.
In other words, the GDPR may apply to businesses that have absolutely no physical presence in the EU, e.g., a manufacturer or retailer based in the United States that tracks or profiles EU visitors to its website, engages in targeted advertising to customers in the EU, uses currency from an EU member state, or offers its products for sale to customers in the EU. For many businesses, whether they are considered to be offering goods or services to visitors in the EU or monitoring the behavior of individuals in the EU under the complexities of GDPR may not be readily apparent and, therefore, it is imperative to proactively and carefully assess each set of individual circumstances against the requirements of the GDPR.
If the GDPR applies to your business (a determination we can help you make), existing privacy policies and practices will inevitably require substantial overhaul to achieve compliance before May 25 and to maintain compliance after May 25. For example, to become GDPR compliant, businesses must (among many other requirements):
- Implement strict, clear documentation policies that, among other things, demonstrate compliance with the GDPR;
- Review data policies and practices in general, including the handling of employee data, customer data, transfers to third-parties, and breach notification;
- Review and, if necessary, modify contracts with third-parties, e.g., vendors, to ensure minimum requirements are documented;
- Review and assess lawful grounds for processing data and, where processing is based upon consent, carefully follow the GDPR and include a clear, easy mechanism to withdraw consent; and
- Review and assess the right of individuals to, upon request, demand personal data be erased (the right to be forgotten).
Remember, failing to comply with the GDPR is not an option given that the penalties for non-compliance are substantial, including fines up to 4% of annual worldwide turnover or €20 Million, whichever is greater. Smart, effective preparation for the GDPR is necessary to avoid substantial penalties and mitigate risk, starting with an assessment of your risk profile and an audit to determine recommended steps to bring your business into compliance with the GDPR. Our attorneys are at the forefront of data privacy laws and regulations, including the GDPR, and can develop and implement cost-effective, targeted strategies to ensure GDPR compliance.