Surprise – EU Data Privacy Laws Could Impact You, Too!

Bracewell LLP
Contact

Bracewell LLP

On May 25, 2018, the European Union’s data privacy regime is getting an upgrade and like many operating system upgrades, the EU’s new approach (the General Data Protection Regulation, or GDPR) is designed to improve individual protections.  It will also, however, raise various new operations concerns.  Like with many operating system upgrades, the organizations that plan ahead for life under the new regime will be best positioned to identify errors, make adjustments and ultimately have a better GDPR compliance record going forward. Organizations based outside the EU, including those here in the United States, need to take heed because the GDPR may very well apply to your operations.
 
At its most basic, the GDPR governs the protection of processing and moving of personal data associated with natural persons in the EU.  Perhaps the biggest change implemented by the GDPR is that it can apply equally to non-EU companies with no direct operations in the EU. As a result, non-EU companies that offer products or services to natural persons in the EU are expected (by the Independent Supervisory Authorities identified by the GDPR) to develop a GDPR compliance program.  Other key new components required by the GDPR include explicit data breach notification requirements and steep penalties associated with non-compliance.  In the event of a data breach, companies are required to notify their designated Independent Supervisory Authority within 72 hours.
 
The GDPR also more thoroughly addresses the mechanics and realities of modern data processing, use and storage (expanding the earlier EU Data Protection Directive).  The GDPR covers matters related to the types of personal data being collected, uses of the data, the location of data processing, underlying basis for processing, and modifications to the data; all of which must be addressed as part of any GDPR program. The need for a transfer mechanism to transfer personal data from the EU to a third country is still required and the GDPR expands upon the options available that ensure an adequate level of protection. Any compliance program requires appropriate technical and organizational measures to ensure data privacy protection. 
 
For U.S.-based companies that are adjusting their data privacy programs to meet GDPR requirements, there is considerable guidance available to aid GDPR compliance integration into a pre-existing compliance program. Companies adopting GDPR should emphasize, within their organizations, the expectation of individual responsibility for compliance, throughout all levels of the company. For example, senior leaders should be educated about new GDPR-based privacy expectations and should be encouraged to speak out in favor of compliance. Companies should also assess what ongoing steps can be taken to demonstrate a commitment to compliance with GDPR, including documenting and tracking any remediation efforts that are required, if shortcomings are discovered.  Finally, the GDPR compliance or audit function should be subject to review and adjustment.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bracewell LLP | Attorney Advertising

Written by:

Bracewell LLP
Contact
more
less

Bracewell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.