For companies located outside of the EU, the GDPR can apply if the company processes (e.g., collects, stores, analyzes) the personal data of persons located in the EU (regardless of their citizenship). Personal data is broadly defined to include any information relating to an identifiable natural person. If a company processes personal data of persons located in the EU, that company will be subject to GDPR if the data processing is related to the offering of goods or services to persons located in the EU (e.g., the company targets persons in the EU), or the company monitors the behavior of persons located in the EU. Companies should review their different business operations to see if they are collecting or using EU personal data (whether collected from customers, employees, or from third-parties).
The penalties for not complying with GDPR can be severe, including administrative fines of up to 4% of the company’s worldwide total revenue, or 20 million Euros, whichever is greater. While these penalties are reserved for substantial privacy violations, it is yet to be seen exactly how the data protection authorities intend to enforce obligations under the GDPR.
To comply with the GDPR, a company will need to review and address a number of different areas:
- Reviewing and mapping all personal information collected, used, or disclosed by the company;
- Implementing processes to respond to data subject requests for access, delete, change, or restrict their information;
- Reviewing and updating privacy policies to be consistent with the data collection, use, and disclosure practices;
- Ensuring the company has a lawful basis for all data processing (e.g., consent or contract);
- Ensuring proper contractual agreements are in place between data controllers and data processors;
- Appointing an EU representative and data protection officer under certain conditions; and
- Responding to personal data breaches and notifying the appropriate authority within 72 hours.
This article has been prepared for general information purposes and (1) does not create or constitute an attorney-client relationship, (2) is not intended as a solicitation, (3) is not intended to convey or constitute legal advice, and (4) is not a substitute for obtaining legal advice from a qualified attorney. Always seek professional counsel prior to taking action.