Tag Archives: Caroline Krass

The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data

by Caroline Krass, Jason N. Kleinwaks, Ahmed Baladi, and Emmanuelle Bartoli

The General Data Protection Regulation (GDPR), a new European Union data privacy and protection regime, has already entered into force and is slated to become effective on May 25, 2018.  Designed to provide greater protections to the personal data of individuals located in the EU, the GDPR imposes a host of new obligations on both “controllers” and “processors” of such data.  Additionally, the GDPR calls for large penalties when companies fail to comply with these new obligations.  While many U.S. companies have already begun the process of bringing themselves into compliance, the GDPR has such a long reach that it may encompass a large subset of U.S. organizations that would not ordinarily expect to be subject to European data privacy laws.  Smaller organizations or those that deal with a relatively small amount of data originating in the EU may be especially likely to be caught off-guard.  Such organizations must take immediate steps to assess whether they are subject to the new GDPR and to bring themselves into compliance.

In this article, we begin by laying out the global scope of the GDPR and describing which organizations may be required to comply.  Next, we explain the obligations that the GDPR imposes on controllers and processors, as well as the stringent restrictions placed on cross-border data transfers to countries outside of the EU.  We then provide an overview of the various compliance mechanisms and penalties the GDPR includes, and potential deviations in the implementation of the GDPR that might be seen in particular EU member states.  Finally, we conclude with practical advice for organizations transitioning to the new regime. Continue reading