Preparing for the European Union’s General Data Protection Regulation: A Brief Overview for U.S. Companies

The European Union’s General Data Protection Regulation (“GDPR”) will come into effect on May 25, 2018.  Many American companies are unaware of GDPR requirements and unprepared for its imminent arrival.  This Article summarizes key provisions of the GDPR and outlines steps US companies should consider in anticipation of its effective date.  If you have questions after reviewing this article, please don’t hesitate to contact us.

A Summary Of Certain Key Provisions of the GDPR

The GDPR applies to non-EU organizations, including U.S. companies, that process personal data of individuals or data subjects located in the EU. The GDPR expands existing EU data protection law in numerous ways, including the following:

·       “Personal Data” is defined more broadly.  In fact, the reach of the revised definition may surprise some as it includes data not previously considered to be personally identifiable information or “PII”, such as IP addresses.

·       The processing of Personal Data must be lawful, fair and transparent.  

·       Personal data may only be collected for specified legitimate uses and may not be kept longer than is necessary for the purpose for which it was collected. 

·       A robust duty to delete data after it is no longer needed will be instituted.

·       More explicit notice and consent requirements are imposed on the data controller, the entity amassing the data.  The consent of the data subject whose personal data is being collected must be freely given, specific, informed and unambiguous.    

·       Increased attention is paid to data security measures as well as to the types of data.

·       Breach notification rules are tightened.

·       The data subject is given broader rights to require that his or her data be deleted from a database, in other words, to exercise “the right to be forgotten”.

·       Personal data may only be transferred out of the EU to a jurisdiction which provides adequate safeguards for that data.

·       The GDPR applies equally to data controllers who amass information and data processors who get information from controllers.

Preliminary Steps US Companies Should Take To Prepare

Failure to comply with the GDPR can subject violators to significant penalties. US companies processing EU data, or planning to do so, should take measures to ensure compliance.  Some preliminary steps include the following:

·       Determine if your company is subject to GDPR as a threshold matter.

·       Review existing privacy policies to ensure the new notice and consent requirements are met and consider revisions to existing policies if not.

·       Review data security protocols and determine if a DPIA (Data Privacy Impact Assessment) is necessary.  A DPIA may be required if new activities are undertaken with respect to the processing of personal data.  The DPIA will identify potential areas of shortcomings.

·       Appoint a Data Protection Officer if your company’s primary activities consist of processing which requires regular and systematic monitoring of individuals on a large scale or if the processing concerns certain types of sensitive data.  Note: The activities of the company and not the size of the company determine whether a DPO is necessary.

·       Review the data security measures of your vendors to ensure that those vendors which handle personal data also provide sufficient protections, and revise your existing vendor agreements to address GDPR compliance matters. A company is responsible for ensuring that it uses vendors which also comply with GDPR.

·       Consider becoming “Privacy Shield” compliant in order to transfer data out of the EU.

·       Prepare Binding Corporate Rules or Model Contractual Clauses to meet the adequate   safeguards requirement for transfer of data out of the EU.

Why It Matters

Customers in the US and EU and indeed throughout the world are increasingly concerned with the privacy of their personal data.  In addition to avoiding penalties for non-compliance, compliance with GDPR demonstrates to customers that your company has their interests at heart.  

Please note the foregoing is not intended to be an exhaustive summary of the GDPR or the steps to be taken to become compliant and is not intended as legal advice.  For customized recommendations and guidance concerning your EU data security and compliance, please contact us directly.  


Francesco Barbera

Francesco Barbera is a corporate attorney representing emerging growth companies in a wide range of industries, including software, technology, digital, fashion, health care, retail and e-commerce.

He counsels entrepreneurs, investors and established companies on the full range of their business activities, from formation through raising capital, growth and acquisition. He has special expertise in the representation of mission-driven organizations and social enterprises. 

Throughout his career, he has represented the National Broadcasting Corporation, the Grammy Museum, Ares Capital Management, Credit Suisse First Boston, as well as privately held businesses in internet, media and technology, mobile applications, consumer products, professional sports, film and television production, among others over the course of his career. 

Francesco began his legal career at two large, international law firms in Los Angeles, where he represented large and small enterprises in a broad range of transactions, from mergers and acquisitions to public and private securities offerings to the formation of partnerships and joint ventures.

Francesco is also the Co-Chairman of the Los Angeles chapter of Conscious Capitalism, Inc.A lifelong student of psychology and personal development, Francesco holds a Master’s Degree in Spiritual Psychology from the University of Santa Monica and has been trained and mentored by numerous leaders in the personal development arena, including Steve Chandler, Byron Katie and George and Linda Pransky. 

Francesco has also founded and represented non-profit initiatives.

He has served as outside counsel to the Los Angeles Leadership Academy, a charter school dedicated to training the next generation of social and political leaders, and he is the founder and former Executive Director of SpiritWalk, a non-profit fundraiser created to benefit the University of Santa Monica.  

Francesco’s writing has appeared in The American LawyerCalifornia LawyerSlate, and others. He served as the Supreme Court columnist and Executive Editor of the Harvard Law Record and was the founder and editor-in-chief of the Penn History Review, the first Ivy League journal in the country dedicated to the publication of undergraduate historical research.

Francesco is an honors graduate of Harvard Law School, cum laude, and the University of Pennsylvania, summa cum laude and Phi Beta Kappa.