The European Union’s GDPR Takes Effect May 25: Are You Ready?



Practice Areas

John M. Conley
Robinson Bradshaw Publication
May 21, 2018

After years of development, punctuated by seemingly endless stops and starts, the European Union’s General Data Protection Regulation (GDPR) will finally take effect on May 25. As a Regulation, it will immediately become law throughout the EU, much like a federal law in the United States. By contrast, the predecessor law that it replaces, the 1995 Data Protection Directive, set a detailed standard that individual member countries were required to adopt through national legislation, a process that inevitably produced country-by-country variation. The new GDPR will perpetuate the Directive’s core principles and requirements and add a good deal more.

Key Features

The key features of the GDPR include the following:

Bringing Data to the United States

Because the EU has determined that U.S. laws do not provide adequate protection for personal data, transferring data out of the EU will continue to be a significant problem—even for intracompany transfers. As under the Directive, individual consent remains a valid basis for transfer—but it must be affirmative and unambiguous. Absent consent, the available options are the U.S. Department of Commerce’s Privacy Shield program, the unpopular Standard Contractual Clauses promulgated by the EU, and the even less popular Binding Corporate Rules.

Participation in the Privacy Shield means, essentially, that a transferee of data in the United States must certify its compliance with GDPR principles and requirements. Some of the major elements of the Privacy Shield include:

The U.S. Commerce Department has committed to vigorous enforcement, including referrals to DPAs in the EU.

Is My Company Really At Risk for Noncompliance?

Since the GDPR has yet to take effect, the EU DPAs have no track record of enforcement, nor is there any case law. However, various EU authorities have been making public statements about their enforcement plans, and an official advisory body called the Article 29 Working Party has been issuing “Guidance” documents on specific issues. Putting these sources together, the major themes seem to be:

In fact, for smaller and medium-sized American companies, the more significant enforcement is likely to come from the private sector. As many of our clients are discovering, companies that perform processing services in this country for large multinationals like Google and Amazon are being required to sign contracts that promise GDPR compliance, and to impose similar contracts downstream on their own vendors and contractors (who are subprocessors in GDPR terms). Some of these companies find themselves scrambling to assess their data security, to figure out how to provide EU data subjects with their GDPR rights, and to revise their vendor contracts.

What Do We Need to Do?

U.S. companies that are confronting the GDPR for the first time need to take the following initial steps:

Robinson Bradshaw can help you—efficiently—with every stage of this process. We have already assisted companies in a range of industries, including health care, IT, finance and scientific research. We have experience in assessing GDPR applicability, preparing GDPR-compliant privacy policies, drafting and reviewing GDPR contracts, assisting with Privacy Shield certification and developing long-term compliance strategies. We stand ready to put this experience to work for your company.

Main Menu