The European Union’s next generation privacy law, the General Data Protection Regulation is being implemented now, and full compliance is required by May 25, 2018. The GDPR will directly or indirectly affect companies in Georgia and around the world that do business in the EU or otherwise process personal data that comes from the EU. Penalties for noncompliance can be as much as 20 million euros (approximately $23.5 million) or 4 percent of an organization’s global turnover, whichever is greater. Meeting GDPR requirements can take some time, so, if your organization is impacted by the GDPR and compliance efforts are not already underway, it is time to get started.

Article 3 of the GDPR asserts a broad extraterritorial reach, so your organization does not have to have EU locations to be affected. Collecting personal data about individuals that are in the EU in the course of offering goods or services is sufficient. If your website includes prices in euros or other EU currencies or has French, German or other EU language versions, your organization could be subject to GDPR. Monitoring behavior in the EU through website tracking tools or other means also could bring an organization in scope. Even if your organization does not collect personal data directly from individuals in the EU, your organization still may be affected indirectly as a result of GDPR contract-related requirements if your organization acts as a service provider (often a “processor” in EU terminology) for someone that is covered.