One Year Out: The EU's General Data Protection Regulation and How U.S. Businesses Can (and Must) Prepare to Comply

A year from today, radical changes to data privacy laws in the European Union will come into effect. Businesses should start preparing now, given the significant changes. The General Data Protection Regulation (GDPR) will impact U.S. businesses regardless of whether they have a corporate presence in the EU or use EU-based assets to process data (which are the current tests). If a U.S. business offers goods or services to EU based customers, or monitors their behaviour, for example through data analytics, they will potentially be within the scope of the GDPR.

The extra-territorial reach means that in practice, many businesses operating internationally will need to adopt European data privacy standards, which are likely to become the default global standards. The increased sanctions under the GDPR (up to a headline-grabbing 4 percent of global revenue), together with general public expectations on data privacy, mean that compliance with data privacy laws cannot be treated as a minor regulatory issue. The level of fines and other penalties puts data privacy at the same level as antitrust or anti-bribery and corruption compliance on the corporate compliance agenda. This will require board-level awareness and leadership, and the combined input from a range of professionals including, legal, IT, finance, procurement and vendor management and HR.

In particular, the GDPR:

• Introduces new rights that may require changes to:
  • Privacy policies
  • Internal procedures
  • Technology platforms
  • Vendor agreements
• Introduces new obligations covering:
  • Requirements for consent
  • Data breach notification
  • Appointment of third party data processors
  • Appointment of representatives
• Requires new processes including:
  • Privacy Impact Assessments
  • Internal record-keeping/audit trail
  • Privacy by design and default
  • Implementing robust data security measures (e.g., pseudonymization and anonymization)
• Potentially requires hiring new personnel (or re-assignment of existing personnel) as a Data Protection Officer
• Has significant penalties for non-compliance (up to the greater of €20,000,000 or 4 percent of worldwide annual turnover for the most serious breaches)

The GDPR is intended to provide much greater harmonization than at present, although some differences will remain. Some areas, notably personal data relating to employees, remain subject to significant national variances. The United Kingdom will adopt the GDPR, despite its planned withdrawal from the EU in 2019. This reflects the fact that a high level of protection for personal data is expected in many modern economies and the global trend towards higher levels of protection. In particular, it provides a firmer basis for the U.K. to be recognized by the EU as offering an adequate level of protection for international transfers of personal data.

Our in-depth guide to the GDPR and its implications for U.S. businesses lays out some of the key areas which are relevant to U.S. businesses.