What US companies need to do about the EU’s new General Data Protection Regulation (GDPR)

Does your firm do business with customers in the European Union?

While it’s been a long time coming, the EU’s new General Data Protection Regulation (GDPR) is a ‘game changer’ with respect to the way US organizations store, process, and transfer the personal information of European residents.

Bear in mind that this includes just about every US e-commerce operation that trades internationally!

Ambitious, Complex, Strict

The General Data Protection Regulation (GDPR) has been described by commentators as ambitious, complex, and strict. All organizations that collect, store, and process personal data of EU residents have until May 2018 to comply with the GDPR, or potentially face fines of up to 4% of annual turnover or €20 million. Complying with the new law will require significant updates to policies, processes, and service contracts, as well as to the information security measures used to protect this data.

With over 200 pages of detailed requirements, the GDPR raises many business-critical issues for US companies that need to ensure they maintain and grow their business in the EU. How to take advantage of the two-year transition period, how it relates to the new Privacy Shield agreement, and the potential conflicts with the US federal and state laws will be at the top of this agenda.

Getting ready for GDPR

While much has been already been written about the interaction between the GDPR and US firms, I always return to the excellent blog by Matthew Baker, who works for Katten Muchin Rosenman LLP:

It is important for US-based companies operating in the European Union—beginning in 2016—to consider the GDPR’s requirements as integral components to their privacy and data security planning to avoid complications during the transition to the new regulatory regime.

US-based companies that collect personal information and that operate within the European Union should consider preparing for the GDPR’s implementation by:

  • Developing (or revising) a privacy program that collects and retains personal information only to the extent necessary (e.g., adhering as closely as possible to the European Union’s “purpose limitation” requirements).
  • Appointing a knowledgeable data protection officer or a chief privacy officer to oversee the company’s privacy practices and ensure compliance with both domestic and international regulations.
  • Reviewing (and possibly amending) contracts with third parties that process, control or maintain collected personal information to ensure proper safeguards and data breach reporting procedures.
  • Ensuring that there are updated and tested data breach response policies and programs to ensure timely notification to regulators and consumers in the event of a data breach.

Our one-day Certified EU General Data Protection Regulation (GDPR) Foundation Online training course provides a comprehensive introduction to the GDPR, and a practical understanding of the implications and legal requirements for organizations that collect and process personal information.

This interactive, real-time Live Online training course lets delegates study from any location in the US and is next scheduled for November 3 at 09:00 EST.