Introducing the little-known (but hugely important) General Data Protection Regulation (GDPR).  We know, we know. You’ve never heard of it. And, if you did hear of it, you don’t think it applies to your company, to your college, or to your work as a consultant. Well, sorry to say, you’re probably wrong. GDPR likely applies to any business with a computer connected to the Internet.
What is GDPR, you ask? GDPR is a new regulation adopted by the European Union (EU) which becomes effective on May 25, 2018. It is a game-changer. GDPR is the EU’s new law to protect personal data and enhance the privacy of its citizens online. Among other things, GDPR:

  • empowers its citizens to have more control and say over how and when their personal information is collected, used, analyzed, and stored.
  • sets limits on the processing of personal data to specific and legitimate business purposes.
  • gives EU citizens the right and authority to obtain any data you have gathered about them and to require you to fix any inaccuracies or even erase their data (known as the “right-to-be-forgotten”).
  • requires you to use adequate security measures to protect this data and to promptly notify users of any breaches (i.e., within 72 hours in most cases).

GDPR will be enforced by national regulators in the EU who will have the authority to assess mind-bogglingly substantial fines for violations (i.e., the greater of 4% of a company’s annual revenue or €20 million (or $24,137,900 as of the writing of this post). (Yes, you read that correctly.)
Do we have your attention yet?
“But wait a second,” you say. “How can this law apply to me when I’m in the United States? This is America! No taxation without representation!” Yes, we know. However, GDPR’s reach is far and wide. If you obtain or use personal data (which the GDPR defines broadly) of any EU citizen, then GDPR likely applies to you. Although it remains to be seen how the EU’s regulatory authorities will seek to enforce the GDPR against American companies, given the close working and trade relationship between the United States and the EU, we expect that international law will permit GDPR enforcers to reach U.S. companies. And, our understanding is that there will be no grace period and enforcement will begin promptly after the May 25, 2018 effective date.
So, now what?
It’s too complicated to lay out all the steps to ensure GDPR compliance in a blog post. Therefore, please consider this list as a very general and high-level set of guidelines to consider:

  • First, a company’s ownership or senior management should be made aware of GDPR’s existence and upcoming implementation.
  • Second, a company should assemble a GDPR Task Force consisting of senior management members, legal counsel (either outside counsel or in-house), the company’s IT professionals, the personnel responsible for handling the company’s website and data gathering/tracking, and perhaps the company’s marketing representative. The purpose of the Task Force would be to begin to understand GDPR and think through how the company’s data practices are impacted by it.
  • Third, a company may need the service of a cybersecurity consultant to come in and audit or assess the company’s systems to get a solid handle on the data the company tracks and stores.
  • Finally, a company should ask its insurance broker about the possibility of purchasing coverage for GDPR events and enforcement actions. As of this writing, it seems that the insurance market is in a great state of flux/uncertainty on this issue, most likely because of the staggering amount of financial exposure under the GDPR. We seriously question whether current cybersecurity insurance riders will be adequately broad enough to cover GDPR-related losses and fines.

Based upon our discussions and review of the marketplace, we believe only a small percentage of U.S. institutions are prepared for GDPR’s implementation and potential impacts. GDPR is here to stay and no one wants to be the first U.S. test case caught in the GDPR’s net. We know this all sounds daunting, but you should resist the temptation to ignore GDPR and hope you never get a certified letter from Berlin, Paris, or London. Compliance with GDPR is not impossible, but time is running out.
Disclaimer: All blog posts are for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.