The General Data Protection Regulation (GDPR) sets new standards for how companies in the EU and abroad handle personal data from EU citizens. It gives EU citizens more control over their personal data and requires companies to obtain explicit consent when collecting personal data. Failure to comply with GDPR can result in large fines of up to 20 million euros or 4% of annual global revenue. While aimed at protecting EU citizens, GDPR has global implications and applies to any company that handles personal data from EU individuals.

1. This article does not constitute legal advice and
is intended for informational purposes only.
A Quick Guide for
U.S.> Businesses

2. This article does not constitute legal advice
and is intended for informational purposes only.
The General Data Protection Regulation (“GDPR”) is a legal framework
that sets new standards for the collection, storage, and processing of
personal data of citizens of the European Union (“EU”). Enacted in
May 2018, GDPR has had far-reaching implications for how companies
handle consumer privacy.
GDPR applies to a broad array of personal data, including a person’s
name, email address, and phone number, but also less obvious
information such as customer IDs and IP addresses.
The purpose of GDPR is to give EU citizens the right to access and
control their personal data and it is intended to protect EU citizens from
privacy and data breaches.

3. This article does not constitute legal advice
and is intended for informational purposes only.
Although the GDPR mainly affects those living within the
European Union (EU), businesses do not have to be based in the
EU to be bound by the GDPR. GDPR applies to U.S. companies
that provide goods or services to EU citizens or monitor their
behavior (for instance, by using cookies or similar tracking
technologies).
Thus, if you collect personal data or behavioral information
from an individual in an EU country – whether that individual is
a customer or your own employee, then your company is subject
to the requirements of the GDPR.

4. This article does not constitute legal advice
and is intended for informational purposes only.
It is important that U.S. businesses determine whether the GDPR
applies to them in order to ensure compliance with GDPR. This
is because the penalties for failing to comply with the GDPR can
be severe.
Companies found to violate the GDPR can face eye-watering
fines. The maximum fine for a violation is 20 million euros or
4% of a company’s annual global revenue from the prior year,
whichever is higher.

5. This article does not constitute legal advice
and is intended for informational purposes only.

6. This article does not constitute legal advice
and is intended for informational purposes only.
By inventorying and mapping your data holdings you will develop a
solid understanding of the array of personal data you are responsible for
safeguarding.
Updating your privacy notices to comply with the GDPR’s enhanced
transparency requirements will force you to review your public-facing
privacy policies and other online notices to ensure they are up-to-date
and accurate. Benchmarking your existing policies to the GDPR will
help you identify gaps and inconsistencies in your current approach.
Although cumbersome, launching
a GDPR compliance effort will
help get your company’s privacy
and security affairs in order.

7. This article does not constitute legal advice
and is intended for informational purposes only.
GDPR provides exceptions to many of the most burdensome
provisions of the regulation when steps are taken to de-identify
personal data.
For instance, companies may not be required to provide breach
notification to individuals if the data that was compromised had
been properly anonymized. By using anonymization or
pseudonymization techniques companies can also give
themselves more flexibility in how they process data.
Anonymization and
pseudonymization can
significantly reduce GDPR
compliance burdens

8. This article does not constitute legal advice
and is intended for informational purposes only.
In addition to EU regulators, individuals have a “right to an effective
judicial remedy,” including monetary damages, for violations of the
GDPR. This right can be exercised by nonprofit organizations on
individuals’ behalf.
Thus, US businesses should be aware that privacy and consumer
organizations are likely on the lookout for indications of basic failures to
comply with the GDPR. Preparation is key to avoiding becoming an
early target for one of these class-action style forms of litigation. This is
particularly important because given that courts will be considering
many of these issues for the first time, early judicial outcomes are hard
to predict.
Nonprofits can enforce the GDPR
on behalf of consumers and have
greater resources to fund a legal
action than individuals do.

9. This article does not constitute legal advice
and is intended for informational purposes only.
Companies should be careful to not mistakenly assume that if
they comply with the GDPR, they have met all of their privacy
and security obligations across the globe. Implementing a GDPR
compliance strategy will undoubtedly help with any privacy and
security program, but different jurisdictions have different laws
and requirements can vary in substantial ways.
It is important to always carefully review the relevant laws and
regulations and to be prepared for future developments in the
privacy landscape.
While the GDPR is an important
privacy law, it is not the only one.

10. DISCLAIMER
This article does not constitute legal advice and is
intended for informational purposes only. You should
contact your attorney to obtain advice with respect to
any particular issue or problem. Use of and access to
these materials, the CGL website or any of the links
contained within the site do not create an attorney-client
relationship between CGL and the user or browser. The
opinions expressed at or through this site are the opinions
of the individual author and may not reflect the opinions
of the firm or any individual attorney.

11. www.cgl-llp.com