Client Alerts

New EU Data Protection Regulation Raises the Stakes for Compliance

By: Frances Floriano Goins and Michael A. Marrero

About: Cybersecurity & Privacy

On December 17, 2015 the arrival of a new era in European Union (E.U.) citizens’ data privacy became one step closer when the E.U.’s Civil Rights Committee approved the General Data Protection Regulation (GDPR). Unlike the 1995 EU Data Protection Directive that they replace, which required member states to implement local laws to address data privacy and protection, the GDPR will apply to all 28 member states without local implementing laws. The GDPR will apply two years after the E.U. Parliament and Council of the European Union formally adopt the GDPR. There are many significant changes under the GDPR, including that companies that violate certain provisions of the GDPR may receive fines of up to 4 percent of their annual global revenue. Each E.U. member state will have a data protection authority to enforce the GDPR.

Who is affected?

The GDPR affects companies that collect personal data about E.U. citizens or that process information on behalf of such companies. The GDPR can even apply to companies that do not have a physical presence within the E.U. Accordingly, any company with employees or customers in the E.U. or that processes personal information for E.U. citizens must understand the GDPR’s requirements and what that organization must do to comply with those obligations.

New Requirements

Some of the requirements under the GDPR include that:

Action Steps

Depending on their collection and use of consumer data, companies subject to the GDPR may consider the following action items:

Conclusion

Given the expected implementation of the GDPR and Data Privacy Directive, affected companies should begin reviewing and modifying their corporate governance, policies, logistics, structure and communications as necessary to comply with the changes. Data protection issues should become a high priority for companies based on the E.U.’s emphasis on privacy rights and the harsh new penalties under the GDPR.