The General Data Protection Regulation (GDPR) takes effect in the European Union (EU) on May 25, 2018.  Although U.S. businesses may think that EU regulations do not apply to them, GDPR extends to any entity that collects, stores, or uses personal data of people in the EU (data subjects), even if that entity has no physical presence in the EU.  Organizations subject to GDPR now have less than three months to ensure compliance.  Therefore, it is crucial to evaluate your company’s obligations for compliance and understand the risks of noncompliance.

Obligations of U.S. Companies

GDPR creates new obligations, and U.S. businesses must invest significant time and resources to comply.  Three impactful obligations relate to data subjects’ consent to process their data, data subjects’ right to be forgotten, and the appointment of an executive-level data protection officer.

1. Consent Requirements

A business must have a lawful basis to process personal data, such as consent.  Processing certain types of data, including data concerning race, ethnicity, religion, political affiliation, and health, requires “explicit” consent from the data subject.  Consent must be affirmative, informed, and freely given; implied consent, which may be acceptable in the U.S., will be insufficient under GDPR.

2. The Right to Be Forgotten

GDPR grants data subjects new rights, including the right to data erasure—more commonly called the “right to be forgotten.”  The right to be forgotten allows data subjects to request deletion of their data under certain circumstances, including when the data subject withdraws consent or objects to the processing of his or her data.  The right to be forgotten poses an operational challenge for many businesses, which must implement a process for, and invest staff time in, responding to data subjects’ requests.  The right to be forgotten marks a significant shift in privacy law and is an unfamiliar concept in the U.S.

3. Data Protection Officer

Compliance with the GDPR also requires some organizations to appoint an executive-level data protection officer.  The data protection officer must act independently, report directly to the organization’s highest level of management, inform the organization of its obligations under GDPR, and monitor compliance with GDPR.

Consent, the right to be forgotten, and the data protection officer are key features of GDPR, but this is far from a comprehensive list of GDPR requirements.

Consequences of Noncompliance

Noncompliance with GDPR comes at a steep cost.  The maximum penalty for failure to comply is €20 million or 4% of an organization’s worldwide revenue, whichever is greater.  Additionally, data subjects have the right to seek a judicial remedy against infringing organizations.  Therefore, GDPR offers a strong incentive for compliance.

GDPR Is Here

Many companies have spent months, if not years, preparing for GDPR, and at least one state is considering legislation that would create similar rights for data subjects.  With May 25, 2018 rapidly approaching, organizations must assess whether GDPR applies to their business and work swiftly toward compliance.