Companies must begin to get their houses in order now, however. The GDPR will impose strict requirements and hefty penalties for non-compliance, with fines running as high as 4% of a company’s total global annual turnover. Companies will have to conduct thorough assessments of the personal data that they collect, maintain, use, and disclose, as well as review their contracts with vendors and their policies and procedures with respect to such data, so that they can make any necessary changes well before the GDPR becomes effective.
Below are brief descriptions of key provisions of the GDPR and what they mean for U.S. companies:
Affects U.S. Companies That Do Business in the EU or That Process Data on Behalf of Such Companies. The GDPR will apply to an extremely wide range of companies: data controllers (entities that, alone or with others, determine how personal data will be processed and for what purpose) and data processors (entities, such as cloud providers, that process personal data on behalf of a data controller) that (1) are established in the EU, or (2) that are not established in the EU, but that offer goods and services to EU residents or track EU residents online (e.g., for marketing purposes).