This month, Tracking Data will be covering the EU’s General Data Protection Regulation (GDPR), which was adopted on April 27, 2016 and goes into effect on May 25, 2018.
The GDPR defines a broad set of rights and principles governing the protection of EU data subjects. These rights include the right to access one’s personal data and information regarding the storage and sharing of that data, the right to correct errors in personal data, the right to erasure, and the right to notices and disclosures. The GDPR imposes new obligations on organizations to protect these rights, and mandates significant fines in the event of non-compliance.
The extent to which an organization is subject to obligations under the GDPR depends on whether they are a “data controller” or a “data processor.” U.S. companies that do not have a presence in the EU, but that sell to people located in the EU, or obtain and retain personal information of people located in the EU, may be required to comply with the GDPR. The GDPR may also apply if a U.S. business contracts with vendors in the EU to store personal data.
Over the next few weeks, we will take an in-depth look at GDPR provisions that may impact U.S. businesses both large and small. Topics will include the territorial scope of the GDPR, who needs to hire a Data Protection Officer (DPO), how the law categorizes personal data, and cross-border data transfer requirements.
Watch for new blog posts twice per week in March.