In May 2018, the European Union’s General Data Protection Regulation (GDPR) will come into force, which means that U.S. companies that do work internationally need to be very aware of this date and plan accordingly.
The law is designed to protect the data of EU citizens wherever they may live and wherever the data is processed. With corporate awareness of cyber-attacks at an all-time high, U.S. companies should not only be ready for this change, but take the lead in responding, as well.
In addition to the more public rights to data portability and the right to be forgotten, the transfer of data outside the EU will be further restricted. Companies need to have policies and procedures in place to put these requirements into effect and to document how their data is collected and retained.
Most ominously, companies will now have 72 hours to report a data breach to the EU Information Commissioner’s Office. The days of Yahoo not reporting literally for years will soon be long gone. All of these requirements extend to third parties.
The clear model for compliance with these requirements is a best practices anti-corruption compliance program. In addition to written policies and procedures, companies must appoint a data protection officer, review contracts for appropriate data protection and privacy terms and conditions, train employees and gatekeepers, have appropriate board participation and oversight, and monitor and update provisions on an ongoing basis.
To accomplish all of this, businesses need to begin preparations now. Moreover, as with Foreign Corrupt Practices Act (FCPA) compliance, there will be many flow-down provisions for multiple levels of contractors and sub-contractors. These counter-parties and their own contractors can expect to be auditing on their data privacy and data protection programs going forward. As was observed with FCPA compliance, once businesses embrace the requirements and make it a part of doing business going forward, it becomes a part of the overall business process.