The General Data Protection Regulation (GDPR) was approved by EU Parliament back in May 2017. The GDPR, in a nutshell, was designed to replace an inconsistent set of data privacy laws with a comprehensive law that protected all European Union residents. Please click here for my original post on the GDPR. While the GDPR has been in effect for over a year, the law gave companies until May 25, 2018 to comply. Well, that deadline has come and gone. If you fail to comply, regulators can impose a fine of up to 4% of worldwide revenue. This is NOT a typo! 4% of worldwide revenue up to 20 million euros.
Currently, there are no grace periods if your company still has not complied with the GDPR. Additionally, as the ability to enforce compliance is less than 1 week old, there is no precedent out there that we can use as guidance. Regulators for EU member states have indicated different going forward approaches to enforcement. While one state regulator has inferred that even if full compliance has not yet been achieved, the efforts made to attain compliance will be taken into account as a mitigating factor. Alternatively, other state regulators have simply stated that if we have reason to impose a fine we will impose a fine. In this regard, the newly created European Data Protection Board was recently created.
Going Forward – What should US Companies do?
US companies had over a year to prepare for the May 25, 2018 compliance deadline. Just burying your head in the sand is not a good strategy considering the potential fine of up to 4% of worldwide revenue. US companies need to understand if their online business presence falls under the GDPR. If you have any questions regarding this or any other aspect of your business, please feel free to contact Doug Leavitt at Danziger Shapiro & Leavitt, P.C.
This entry is presented for informational purposes only and is not intended to constitute legal advice.