Even if your company primarily operates in the U.S., the European Union’s General Data Protection Regulation (GDPR)—which will take effect on May 25, 2018—may affect your organization.  Here are three facts that all businesses should know about the GDPR.

1. GDPR May Regulate Your U.S.-based Business 
   By its terms, the GDPR regulates any business that collects, stores, or uses the personal data of EU residents.  This includes businesses that do not have a physical presence in the EU.  The GDPR’s aggressive extraterritorial reach marks a significant change in current law.Additionally, the GDPR provides a good indication of changes that may come to U.S. privacy laws.  For example, the New York legislature, inspired by the GDPR, recently proposed the Right to be Forgotten Act, which would, if enacted, provide individuals with the right to request that inaccurate or irrelevant information about them be removed from the internet.  Because the GDPR will continue influencing privacy regulations across the globe, companies that comply with the GDPR will be prepared for future changes in U.S. legislation.
2. GDPR Compliance Requires Advance Planning
   The GDPR imposes a host of affirmative obligations on businesses.  For example, organizations must appoint an executive-level Data Protection Officer; erase personal data upon request; and provide data breach notifications with 72 hours.  The GDPR also introduces new requirements for obtaining consent to process personal data.  Thus, ensuring compliance with the GDPR requires significant advance planning by an organization, and businesses that wait until the eve of the GDPR’s implementation risk running afoul of EU regulators.
3. Fines for Non-Compliance May Exceed 20 Million Euros
   For businesses that fail to comply with the GDPR, the maximum penalty is €20 million or 4% of a company’s worldwide revenue, whichever is greater. The GDPR therefore offers a strong incentive to ensure compliance.

With just under one year until the GDPR takes effect, companies must assess whether the GDPR applies to their business and take steps to ensure compliance.  The attorneys in McNees Wallace & Nurick LLC’s Privacy & Data Security practice group stand ready to answer your questions and offer guidance in navigating this new regulatory regime.