May 16, 2018 -

Privacy Alert: GDPR Enforcement Effective May 25, 2018

by Matthew Klahre and Andrew Baer

The General Data Protection Regulation (GDPR) is the European Union’s latest privacy regime for the protection of the personal data of EU citizens.  The GDPR is an unprecedented change in the current E.U. and world privacy landscape, not to mention a significant step up from the privacy compliance requirements that many U.S.-based companies are familiar with under current American law.

Moreover, the GDPR is extraterritorial.  In other words, the new regulation applies to most companies that process E.U. personal data, regardless of whether or not they are located in the E.U.  As such, many U.S. companies will be required to comply.  Under the GDPR, “personal data” is any data relating to an identified or identifiable EU citizen. This includes obvious information such as an E.U. citizen’s name and email address, but also some not-so-obvious data such as E.U. business contact information, and IP address and HTTP header information collected from web traffic originating in the E.U. (which are not treated as protected personally identifiable information under U.S. law).

Enforcement of the GDPR begins on May 25, 2018, and so do its eye-watering penalties.  A company’s non-compliance could result in fines of up to 4% of its annual turnover or €20,000,000, whichever is higher.  Preparing for the GDPR involves improving and appropriately documenting a company’s internal compliance and record-keeping processes, amending agreements with customers and vendors to satisfy the GDPR’s requirements, and updating privacy policies to provide adequate disclosures and choices to E.U. data subjects.   Additional privacy rights like data portability and the right to data erasure (otherwise known as the “right to be forgotten”), which have no analogue in U.S. privacy law, may also apply.

E.U. regulators are not the only ones driving the need for GDPR compliance.  As required by the GDPR, multinational companies with a presence (and therefore regulatory exposure) in Europe are pushing the GDPR’s mandates down onto their U.S.-based vendors who process E.U. personal data on their behalf.  Our team of privacy lawyers can help you assess your GDPR exposure and work with you to formulate and implement a compliance strategy and update your contracts.  If you have any questions about the GDPR, please contact Matt Klahre at or Andrew Baer at