Global companies face a daunting array of risks – anti-corruption, trade compliance, antitrust, and money laundering are just a few. The European Union, however, has escalated the data privacy issue right into the corporate boardroom. Global companies will have to devote significant time and resources to building appropriate data privacy compliance programs.

The EU’s new General Data Privacy Regulation (or GDPR), which is effective May 18, 2018, sets out a new and rigorous set of data privacy requirements.   The GDPR was enacted to address serious concerns about the need to harmonize data privacy regulation among member states.

The GDPR applies to data processors and data controllers who operate outside the EU but who offer goods and services or monitor the behavior of EU data subjects. Global companies that maintain a website to solicit sales from potential EU customers will fall under the GDPR requirements. Prior to the GDPR, website-based companies were not subject to EU data privacy laws and regulations.

If a large global company operates in any (or a number of) EU member states, a company will have to comply with significant requirements for protecting, processing and transmitting data.   A designated Data Privacy Officer with appropriate staff will have to be appointed in those companies where: (i) processing is carried out by a public authority; (ii) processor or controller core activities involve processing of significant amount of data; or (iii) core activities consist of processing on a large scale of special categories of data. The DPO must have a direct line of reporting to senior management.

The GDPR imposes a number of compliance program requirements on those companies that operate in the EU. A global company will have to conduct a risk assessment and implement processes and procedures designed to protect personal data through encryption or other mechanisms to remove/mask sensitive information.

Data processors will have significant compliance obligations that require the preservation of records of processing activities and an obligation to notify a data controller of a breach.

A key component of the GDPR is implementing privacy by design — meaning that privacy should be addressed when new technologies or products are created. Designers and developers of new technologies will have to assess privacy issues at initial steps rather than when completing a project.

Every company has to assess its GDPR risks by analyzing: (i) the type of data it collects; (ii) the use of such data; (iii) where the data is collected and where is it transmitted (if anywhere); (iv) when is it collected and used; and (v) how and why the data is collected and used.  Once you understand these issues, you will be able to classify your data, keep accurate records of your data and notify the relevant authority.

The GDPR contains explicit consent requirements to ensure that such consents are freely given, specific, informed and unambiguous. Regulatory oversight of this area will be strict given the requirements for voluntary and specific consents. For example, regulators may question situations where a contract is made contingent on consents for data privacy processing and transmission out of the EU but where such consents are not needed for the execution of the specific services set out in the contract.

The potential fines for violations are significant. For improper international transfers or violation of basic processing requirements, the higher of 4 percent of worldwide turnover or EUR20 million; for less significant infringements, the higher of 2 percent worldwide turnover or EUR10 million.

The GDPR has the potential to solve a major problem for many global companies – compliance with multiple individual member states’ data privacy regimes. Under the GDPR, there is a potential for companies operating in multiple states to secure regulation by a leading member state where the company’s base operations in the EU may exist or where there is significant operations.