The General Data Protection Regulation (GDPR) is the EU’s new regulation governing the collection, processing, use, and storage of personal data. Companies subject to the GDPR must examine their personal data collection and processing practices and make any necessary changes to comply with the law, or face substantial financial penalties of up to €20 million or 4 percent of worldwide revenue.

Although the EU is responsible for the GDPR, the regulation affects not only EU companies that process personal data, but also non-EU companies that process personal data in connection with offering goods and services to individuals in the EU, such as websites that are available to EU residents and that collect and process those residents’ data. It also applies to any companies, regardless of location, that process personal data in the course of monitoring or profiling EU residents. As a result, a company based in the United States, with no operations whatsoever in the EU, may nonetheless be subject to the GDPR if, for example, the company sells clothing and its goods are available to EU residents, and it collects their information as part of its marketing or sales process.

With enforcement now in effect, it is essential that companies take the necessary steps to coordinate compliance across all EU operations, and with third-party relationships.

O’Melveny’s GDPR Toolkit explains the law’s requirements, can help you make an initial assessment as to whether your company is affected by the GDPR, and lays out twelve steps you can take to comply with the GDPR. Our lawyers also can provide specific counseling on the application of the law to your company.