Getting ready for the EU's stringent data privacy rule.

Author:McCallister, Jennifer

The new EU General Data Protection Regulation, which takes effect in May, will have far-reaching effects. Here are key elements and a readiness plan.

The General Data Protection Regulation (GDPR), adopted in the European Union in 2016, will become enforceable on May 25, 2018, and will affect all companies that use personal data of persons in the EU to provide services, to sell goods, or to monitor their behavior, even if those companies don't have an office in the EU.

In addition, the GDPR requires that companies without a physical EU location have an appointed representative for EU enforcement purposes.

Data protection is a significant issue in Europe. After World War II, when personal information was used to identify and target people based on specific demographics, the Council of Europe was formed to bring together European states to address, among other topics, human rights and the associated right to privacy. Between the 1950s and 1980s, many EU countries adopted their own national data protection laws, and in 1995, as an attempt to harmonize these laws, the EU adopted the Data Protection Directive (DPD). As a "directive," the DPD provided for specific aims to be achieved through national laws by the member states.

While it managed to harmonize essential data protection safeguards, the transposition of the directive in national laws still allowed differences among national laws. Taking note of the digital age, the European Commission announced its ambitious plan to reform the data protection framework to provide a high level of protection to individuals and to update the rules for the new digital reality.

Unlike the DPD, the GDPR is directly applicable in the national systems of EU member states. The GDPR is considered the most stringent data privacy regulation to date and could one day be the primary influence behind globally adopted privacy standards.


The GDPR is a comprehensive law that applies to businesses handling personal data of individuals in the EU--even when no transaction takes place and regardless of whether a business is physically located in Europe. The GDPR elaborates on issues that arose under the DPD, strengthening the rights of individuals and providing for prohibitive fines, which can go up to 20 million [euro] (about $22.9 million), or 4% of the global annual turnover, or revenue, for the previous year. As the effective date approaches, regulated entities are left with a narrow time to become compliant.


Many U.S. companies have embraced the regulation and have been working steadily on implementation plans since 2016; however, others are still determining whether the GDPR even applies to them. For U.S. companies, it may be difficult to understand the complexity of the GDPR and its application within the United States; however, caution should be taken before turning a blind eye, as the new rules will apply to many more U.S.-based companies than the current DPD standard. The GDPR's territorial reach is wide because the rules apply not only to organizations that have an establishment in the EU, but also to those organizations that are not established in...

To continue reading