GDPR Deadline Quickly Approaching

In five months, U.S. companies will be on the hook for EU’s new data privacy rules

Getting up to speed on the European Union’s new, sweeping data privacy law could be among many U.S. companies’ New Year resolutions for 2018. Local cybersecurity experts say companies may still have a long to-do list for compliance if they handle personal data from across the Atlantic.

Adopted in April 2016, the EU General Data Protection Regulation’s two-year compliance period will end May 25, 2018. American companies that handle EU citizens’ personal data, but aren’t in line with the GDPR’s user consent requirements, data breach notification protocol and other regulations could risk significant fines.

The GDPR bolsters protections regarding the personal data of EU citizens while unifying data privacy rules across the EU member nations. It applies to companies both inside and outside the EU that collect or process EU citizens’ personal data. The wide net the GDPR casts envelops plenty of Colorado-based companies in a variety of industries.

The question is how many U.S. businesses will be prepared for the GDPR by the May deadline. Varonis, a data security company, conducted a study ending late October that sur-veyed companies on their GDPR readiness. Of the 200 large U.S. businesses surveyed, half of them said they faced “serious challenges in being GDPR compliant.” Only two out of three U.S. businesses said they were even familiar with the GDPR, and one in four said they thought the law didn’t apply to them.

To read this story and other complete articles featured in the December 18, 2017 print edition of Law Week Colorado, copies are available for purchase online.