You've seen the updated privacy policies flood your inbox, the cookie banner warnings on websites, and heard about data privacy law in the news. These are just a few of the signs that companies worldwide are scrambling to comply with the far-reaching European General Data Protection Regulation (GDPR), which is set to take effect on May 25, 2018.

 Yet, with just days to go, many companies are still unaware that their businesses must comply with the GDPR or face large fines. The GDPR doesn't just apply in the European Union; it can apply to companies both inside and outside the EU if they market goods or services to EU-based customers, or have any EU-based operations. The GDPR also covers all types of businesses, from technology companies to banks, manufacturers, and even online vendors. If your business touches the EU, and you deal with any data from people living in the EU, you need to evaluate your GDPR readiness. Here are a few questions to ask yourself about how the GDPR might apply to your business:

DOES THE GDPR APPLY TO YOUR COMPANY?

The GDPR applies to both U.S. and other Non-EU companies. For example, the GDPR could directly impact your business if any one of the following situations applies to your company:

  1. You offer products or services to customers in the European Union; OR
  2. You have any places of business in the EU; OR
  3. You receive data from any European companies.

ARE YOU AWARE OF THE POSSIBLE PENALTIES?

The fines for GDPR violations can be massive, permitting the European privacy authorities to levy fines of up to 4% of a company's annual worldwide revenue, or €20 million (about $23.5 million), whichever is higher.

IS YOUR COMPANY PREPARED TO ENFORCE PERSONAL DATA RIGHTS?

If you collect or receive personal information covered by the GDPR, including, for example, usernames, email addresses, and digital information like IP addresses, you have certain obligations to the people behind that data. You should evaluate whether you are prepared to enforce the rights and legal requests of those people under the GDPR, including the rights to access, delete, or correct their data.

HAS YOUR COMPANY GENERATED REQUIRED GDPR COMPLIANCE DOCUMENTATION?

The GDPR requires organizations to affirmatively demonstrate compliance, for example, by creating publicly available GDPR-compliant privacy policies, and by generating detailed internal data inventories, audits, and data breach response plans. U.S. businesses can meet some of these obligations by joining the Privacy Shield program administered by the U.S. Department of Commerce. These obligations must be met before May 25, 2018, not after receiving a knock on the door from a regulatory agency.

DOES YOUR COMPANY HAVE GDPR – READY DATA PROTECTION AGREEMENTS IN PLACE?

The GDPR requires companies to have formal GDPR-compliant data processing agreements in place whenever sharing or transferring relevant personal data to vendors, clients, or partners. Are you using consultants, cloud services, or other vendors to assist in storing or managing personal data? If so, you need to make sure your company has a data protection agreement with your vendors.

If you want to know more about the GDPR, or need help getting your business GDPR-ready by May 25, 2018, contact your attorney today—the deadline will be here before you know it.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.