The European Union’s most comprehensive data privacy overhaul in decades, the General Data Protection Regulation (GDPR), becomes effective on May 25, 2018 – just over one month away. With the deadline fast approaching, it has been widely reported that businesses around the world are not prepared or are significantly underprepared for the GDPR. This poses a serious problem because the GDPR is a radical change to the EU’s regulatory scheme that requires businesses inside and outside of the EU to substantially overhaul their current data privacy policies and practices, and to adhere to rigorous ongoing requirements (e.g., data breach notification requirements, extensive record keeping parameters, ensuring proper documentation with third-parties, etc.), in order to achieve compliance. GDPR compliance cannot be ignored because, if it applies to a business (a determination we can help you with), the penalties for non-compliance are substantial, including fines up to 4% of annual worldwide turnover or €20 Million (whichever is greater). It is not safe to assume there will be a transition period for businesses to adjust to the GDPR or “get up to speed”, which means contacting Sidley Austin or a similar legal expert to ensure you are compliant before this date is key. In fact, data protection authorities have already confirmed that they will begin to enforce the GDPR on May 25, which we expect to include scrutiny of policies and practices, investigations, and other enforcement activities. As a signal that data protection authorities are ramping up for May 25, last year the Bavarian Data Protection Authority in Germany sent a GDPR questionnaire to 150 randomly selected companies addressing issues such as the existence of data protection guidelines, transparency, and the involvement of third-parties. The questionnaire was confirmation that data protection authorities expect businesses to be GDPR compliant by May 25.
As May 25 will be here in just over a month, there is no time to waste. Smart, effective preparation for the GDPR is necessary to avoid substantial penalties and mitigate risk, starting with an assessment of your risk profile and an audit to determine recommended steps to bring your business into compliance with the GDPR. Our attorneys are at the forefront of data privacy laws and regulations, including the GDPR, and can develop and implement cost-effective, targeted strategies to ensure GDPR compliance. Please contact John Renzulli or Michael Patrick for more information on how Renzulli Law Firm can help you and your business.