• The General Data Protection Regulation (GDPR) is a new EU law regulating how you collect and use information about Europeans. European authorities can enforce the GDPR starting May 25, 2018, and impose major fines. The GDPR replaces the existing EU Data Protection Directive in the laws of all EU member states.
• The GDPR applies to companies established in the EU and those outside the EU that process personal data when offering goods or services to EU citizens, or even those that track Europeans online. Therefore, the GDPR may apply to you even if you have no presence in the EU.
• The Privacy Shield self-certification program for the transfer of personal data from the EU to the U.S. will remain as an option to comply with the EU restriction on the transfer of personal data from the EU to the U.S., but self-certifying under the Privacy Shield is not sufficient for GDPR compliance, as the Privacy Shield only deals with transfers of personal data from the EU to the U.S., and does not address the GDPR’s requirements governing the processing of that data.
• Your enterprise customers doing business in the EU are likely to insist that you comply with the GDPR, even if you are not directly subject to the law.
• The GDPR subjects companies that process EU personal data on behalf of others to direct compliance obligations and potential enforcement and financial penalties. This is a departure from the current approach.
• How to Comply with the GDPR: There are a number of options for addressing compliance.  We have developed a set of materials to assist our clients who are interested in developing their own compliance program, and we can recommend other options for those who prefer a comprehensive review and greater assistance.   
• We recommend that you do not wait to evaluate whether the GDPR applies to your organization, since ensuring compliance involves an extensive review of your processing activities, data flows, inbound and outbound contracts, documentation and products/services.
• The GDPR will require you to comply with substantive restrictions on collection and use of data, update your privacy policy, modify agreements with your vendors, subcontractors and customers, and review your product or service for GDPR compliance. Because of the unprecedented breadth and power of the GDPR, you should expect to engage in detailed renegotiations of your inbound and outbound agreements that cover EU data processing activities.
• Penalties if you fail to comply with the GDPR:  If you are subject to the GDPR, you need to understand your obligations, since non-compliance may constitute a significant financial and reputational risk for organizations and is also likely to be a significant impediment to doing business with enterprise customers. Fines of up to the greater of EUR20 million or 4% of annual worldwide turnover may be levied for certain violations, and violators also face the possibility of lawsuits from individual data subjects (including class actions) with the potential to recover damages for both material and non-material damage (e.g., distress).
• The GDPR may have a significant impact on your organization and the ways you process data. We recommend that you consult with one of the Gunderson Dettmer attorneys below to discuss your situation in more detail.

If you have any questions regarding the matters covered in this client alert, you may contact the following GD attorneys:

You may also contact your regular Gunderson Dettmer attorney or any of the following privacy and data security contacts: