In an effort to strengthen the protection of its citizens’ personal data and privacy rights in today’s ever-changing data-driven landscape, the General Data Protection Regulation, passed by the European Union in 2016, will finally go into effect on May 25, 2018, replacing the current EU Data Protection Directive 95/46/EC. Once the GDPR goes into effect, non-compliant organizations are susceptible to heavy fines. 

So what is the GDPR, and more importantly, what does your US-based company need to know to avoid any penalties?

According to the GDPR website, the new regulation was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  With an increased territorial scope, the GDPR will apply to all companies processing the personal data of “data subjects” (i.e. an identifiable or natural person) residing in the EU, regardless of the company’s location. This means that any company doing business in the EU or monitoring the behavior of an EU citizen, must comply with the GDPR, or face potential fines of up to 20 million euros or 4% of global annual turnover (i.e. similar to annual revenue), whichever is higher. While the actual amount of the fines will vary based on the nature, duration and location of the violation, it’s crucial to understand the new regulation and address the key challenges now, in order to ensure compliance and avoid this potentially steep penalty altogether.

Additionally, the GDPR has specific requirements regarding the transfer of personal data outside of the EU. Specifically, there is a prohibition on transferring such data to any country outside the EU unless either (1) the European Commission has determined that such country provides an adequate level of protection, or (2) other approved safeguards are in place, including standard contractual clauses or – in the case of transfers to the US, Privacy Shield certification.

Since data protection authorities have determined that the US lacks “adequate data protection laws,” the EU-US Privacy Shield is useful in helping US companies create the laws needed to meet the adequacy requirement. This is especially important to understand for companies that don’t specifically do business in the EU, but have a website, mobile app, or a form, for example, that collects data on a EU citizen (including citizens that don’t currently live in the EU). If that description sounds like your company, you are within the scope of GDPR mandate, and must comply.

While fulfilling all of the GDPR’s standards requires following several steps, a good first step is to self-certify your company for the Privacy Shield framework via this website. Certification will not guarantee total GDPR compliance, but it will give your company a head start on the process. In addition, certification provides greater legal clarity and direction on the EU’s data protection laws. Note also that joining the Privacy Shield is voluntary, but once an eligible organization makes the public commitment to comply with the framework’s requirements, the commitment will become enforceable under US law.

If you are a US-based company that collects personal data from EU citizens and need guidance on ensuring your GDPR compliance, or for additional questions regarding these requirements, contact Jason Brooks at Jason@altviewlawgroup.com or call us at (310) 230-5580.