TECHNOLOGY IN THE LAW PRACTICE
THOMAS CODEVILLA, J.
In the fall of 2016, I was just digging in to start compliance efforts for the EU Privacy Shield when my general counsel pulled me aside. “You can stop working on Privacy Shield,” she said. “There’s something called GDPR coming, and it’s way bigger.” Thus began my odyssey with the European Union’s General Data Protection Regulation (GDPR). I am an in-house lawyer for a company that must comply with GDPR because we collect and process user information from around the world, including the European Union.
Effective May 25, 2018, GDPR tries to reverse the current business-centric structure of user privacy. Repealing the existing patchwork of national laws, GDPR applies to entities controlling or processing personal information in the EU and to entities outside the EU performing the same on people within the EU.
While the large potential fines are scary and full compliance seems out of reach for many small and medium-sized businesses (not to mention their in-house counsels), the regulation itself becomes less scary when one understands its aims and prioritizes compliance efforts around high-risk areas. This article is neither a complete guide to GDPR nor legal advice; the intent is to cut through the panic around GDPR’s implementation and provide a useful mental model for compliance planning.