The General Data Protection Regulation (GDPR) is the EU’s new regulation governing the collection, processing, use, and storage of personal data, which becomes enforceable on May 25, 2018. Before that date, companies subject to the GDPR will need to examine their personal data collection and processing practices and make any necessary changes to comply with the law, or face substantial financial penalties of up to €20 million or 4 percent of worldwide revenue.

Although the EU is responsible for the GDPR, the regulation will affect not only EU companies that process personal data, but also non-EU companies that process personal data in connection with offering goods and services to individuals in the EU, such as websites that are available to EU residents and that collect and process those residents’ data. It will also apply to any companies, regardless of location, that process personal data in the course of monitoring or profiling EU residents. As a result, a company based in the United States, with no operations whatsoever in the EU, may nonetheless be subject to the GDPR if, for example, the company sells clothing and its goods are available to EU residents, and it collects their information as part of its marketing or sales process.

With less than a year until full enforcement, it is essential that companies begin taking the necessary steps to coordinate compliance across all EU operations, and with third-party relationships.

O’Melveny’s GDPR Toolkit explains the law’s requirements, can help you make an initial assessment as to whether your company is affected by the GDPR, and lays out twelve steps you can take to comply with the GDPR before the enforcement date. Our lawyers also can provide specific counseling on the application of the law to your company.