Ready or Not...the GDPR Effective Date is Here

Verrill
Contact

Now that May 25th, the long awaited effective date of the European Union (“EU”) General Data Protection Regulation (Regulation 2016/679) (“GDPR”), has arrived, many companies are realizing that they have more work to do to become fully compliant with its far ranging and complex requirements. According to one report, 52% of companies expect to be compliant as of the GDPR’s effective date, 40% expect to be compliant after the effective date, and 8% do not know when they will achieve compliance.i Despite the large percentage of companies that will not be fully compliant, EU data protection authorities have made it clear that there will be no grace period. As Helen Dixon, Ireland’s Data Protection Commissioner, acknowledged to Bloomberg Law, however, “if companies get the basics right in the GDPR, they are off to a good start.”ii For companies that are not fully compliant, it is not too late to take steps to achieve compliance. Here are a few key areas of focus for every company:

First, determine whether the GDPR applies to your company. The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU. While many U.S. companies do not have an establishment in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: 1) offering goods or services to such data subjects in the EU (regardless of payment from the data subject) or 2) monitoring the behavior of the data subjects if the behavior takes place in the EU. Second, identify the types of data processing activities that your company undertakes that may trigger the GDPR. Companies must understand how they are collecting and processing personal data in order to demonstrate compliance. Third, companies must ascertain and be transparent with data subjects about their processing activities. Finally, companies should focus on their ability to honor individual data subjects’ rights, including the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and rights related to automated decision making and profiling. Dixon noted that when organizations fail to honor the enumerated rights that the GDPR gives every data subject, higher fines should be expected.

***

i “The Race to GDPR: A Study of Companies in the United States & Europe.” McDermott Will & Emery LLP and Ponemon Institute LLC, Apr. 2018.  Available at https://iapp.org/media/pdf/resource_center/Ponemon_race-to-gdpr.pdf.  
ii Dixon, Helen, and Daniel R. Stoller. “EU Officials: Stick to Basics to Prep for New Privacy Regime.” Bloomberg BNA Privacy & Security Law Report, 2 Apr. 2018. Bloomberg Law, Accessed 24 May 2018.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Verrill | Attorney Advertising

Written by:

Verrill
Contact
more
less

Verrill on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide