The countdown to the enforcement date of the EU General Data Protection Regulation (GDPR) has begun and it’s becoming increasingly clear that many U.S. organizations are poised to be caught in its crosshairs. Organizations that offer goods or services in the EU (whether or not a payment is involved) or that monitor the behavior of individuals in the EU, will be subject to the GDPR’s requirements whether or not they have a presence in the EU. For U.S. organizations that are being exposed to the EU’s regulatory regime for the first time, panic may be setting in (if it hasn’t already). Requirements around honoring expanded data subject rights, maintaining records of processing, documenting the legal basis for such processing, and complying with the new security breach notification requirements, among others, may be particularly challenging for organizations that don’t have well–developed data governance policies or centralized systems and databases.
The GDPR replaces the previous Data Protection Directive 95/46/EC (the Directive) as the governing privacy regulation in the EU. While key principles of data privacy addressed in the Directive remain largely the same, there are some significant policy changes, and, as a result, a fair amount of uncertainty about how the regulation will be enforced. With reports suggesting that many organizations won’t be “fully compliant” by May 25, 2018 (the GDPR’s enforcement date), the next year or two may prove instructive as the first round of enforcement begins.
