The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.
Who needs to comply with the GDPR?
The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.
Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.
Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.
What do US organizations need to do to comply with the GDPR?
The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.
For US organizations, the most significant change concerns the territorial reach of the GDPR.
The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.
Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.
Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield
Alan Calder’s EU GDPR & EU-US Privacy Shield – A Pocket Guide explains in simple terms:
- The terms and definitions used within the GDPR and the EU-US Privacy Shield
- The key requirements
- How to comply with the Regulation