“GDPR – please not again …” In recent times there is hardly any other legal topic more often written and talked about than the new EU General Data Protection Regulation (“GDPR”).

In light of the severe penalties and with less than 100 days until the GDPR goes into full effect (on May 25th, 2018), it is time for U.S. companies to take steps to prepare. Below are some key points to consider and pragmatic to-dos to assist in assessing whether your organization is ready for GDPR compliance.

  • GDPR may apply to U.S.-based companies with zero employees and no offices within the boundaries of the EU territory

While the EU Data Protection Directive of 1995 did not apply to businesses outside the EU territory, this is no longer the case under GDPR.

Now any business may be subject to the new law if it processes personal data of an individual residing in the EU; not even a single transaction needs to occur. As long as your data processing relates to offering services or monitoring behavior on the EU market of EU data subjects – the GDPR may apply to your U.S.-based business. The location of a consumer is the key term to identify whether an individual is deemed a “data subject in the Unio.” While”location” does not necessarily relate to the consumer’s legal “citizenship” or “residenc,” lawyers often use the term “residency” as a short hand way of referring to those people to whom the direction of services might