The European Union’s (“EU”) General Data Protection Regulation (“GDPR”) becomes effective on May 25, 2018, and it will have far-reaching impacts on rights afforded to data subjects and impose new obligations on data controllers and processors. But before even addressing the new rights and obligations it creates, a company must carefully evaluate whether the GDPR is applicable to it in the first place. Certainly EU-based companies are subject to the GDPR’s requirements, but so are companies and agencies that process or collect personal information of EU data subjects or monitor EU data subjects with targeted advertising. It is important to remember that “personal information” is an expansive concept under the GDPR and that EU data subjects include individuals located in the EU. Ultimately, some U.S. companies (or non-EU companies for that matter) will be impacted because they offer goods or services in the EU or target EU data subjects. If a company provides services via the internet to customers in the EU , the company may trigger the GDPR even if based entirely in the U.S. In the context of a mobile application, one EU data subject’s download of the application may technically obligate compliance with the GDPR. In the context of a university, a branch campus located in the EU, exchange programs, research programs, study abroad programs, and internship programs should be evaluated to determine if the GDPR applies to it. As we move toward May 25, 2018, companies would be wise to (if they have not done so already):
- Evaluate the company’s data flows and determine what data is collected, where it is collected from, where it is stored, and how it is used.
- Review the GDPR requirements and determine (and document) whether any gaps exist between the GDPR and the company’s current practices.
Also, as companies consider future expansion, perhaps into the EU market, the GDPR must be addressed if personal information is involved to avoid the risk of significant fines.