New EU Data Protection Regulation Is Now Enacted

April 14, 2016

On April 14, 2016, the European Parliament formally adopted the General Data Protection Regulation (GDPR).1 With this vote, the new EU data protection legal framework will become legally effective in two years and 20 days from its publication in the EU Official Journal (expected in May 2016). By May 2018, companies will have to comply with its new stringent requirements.

The GDPR will significantly impact all companies doing business in the EU, including U.S.-based enterprises that offer goods or services to (or collect or use data concerning) EU individuals. The regulation includes, among other things, stricter conditions for consent, new rights for individuals, data breach notification requirements, and massive new enforcement powers, including fines up to 4 percent of a company's global turnover. A summary of some of the key changes introduced by the regulation can be found here.

As the text of the GDPR is now final, companies should review how the regulation will impact their business and assess how they plan to comply with it. Changing practices takes time and should be planned in advance.

Wilson Sonsini Goodrich & Rosati will be hosting "Getting Ready for the GDPR," a series of practical webinars to help you in this endeavor. The first webinar is scheduled for May 10 at 9.30 a.m. PT. During this webinar, we will provide a general overview and discuss the main GDPR concepts, principles, and obligations. You can register here.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws globally, along with advising clients on EU privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Chris Olsen, or another member of the firm's privacy and data protection practice.

Laura De Boel, Sarah Cadiot, and Sára G. Hoffman contributed to the preparation of this WSGR Alert.