Companies that do not have any physical presence in the EU may be subject to the GDPR. The regulation applies to companies that have an establishment in the EU, but also to companies outside the EU that offer goods and services to EU data subjects or monitor the behavior of EU data subjects, and as a result, process personal data of EU data subjects. The GDPR broadly defines “personal data” as any information that relates to an identified or identifiable person, such as names, contact information, location data and online and mobile identifiers (such as cookie IDs, IP addresses and device identifiers).

Under the GDPR, companies are required to provide EU data subjects with greater visibility into and control over how their personal data is processed. The GDPR provides explicit requirements for the type of notice companies must provide to data subjects before processing their personal data. It also grants data subjects broad rights regarding the treatment of their personal data, including the right to be forgotten, the right to access and correct data, the right to data portability, the right to restrict certain processing, the right to object to automated decision making, the right to revoke consent for processing and the right to object to automated decision-making processes, including profiling. Companies need to review, and likely revamp, their data practices, procedures and policies to ensure that they can meet these obligations.

Companies subject to the GDPR are required to institutionalize privacy. Privacy by default requires companies to limit collection, processing and storage of personal data. Privacy by design requires companies to implement appropriate technical and organizational measures when determining the means of processing data and when processing data.

For example, whenever possible, companies are encouraged to implement pseudonymization by processing personal data in a manner such that it can no longer be attributed to a specific data subject. Additionally, the GDPR outlines standards regarding the security of data processing for both data controllers and data processors. Where a type of processing uses new technology or is likely to result in a high risk to data subjects, including profiling or large-scale processing of special categories of data, the data controller is required to carry out a privacy impact assessment. This assessment must be detailed and documented, and where the assessment indicates a “high risk,” prior consultation with a supervisory authority is required.

The way companies ensure and demonstrate compliance with the GDPR will be scrutinized. The GDPR requires companies to keep clear and accurate records of their data processing activities and compliance efforts. Companies must document the flow of data within their organization and provide detailed information in the event of an audit. Companies may be required to designate a data protection officer to advise and monitor their compliance and to determine whether a data protection impact assessment is required.

The GDPR also imposes a high duty of care on data controllers in selecting service providers to process personal data on their behalf. Data processing contracts must be implemented and must include a range of specific information and obligations. Service providers have similar obligations to pass these contractual requirements down to any sub-processors.

The GDPR introduces a new security breach notice requirement. In the event of a breach, companies must provide prompt, detailed notification to the supervisory authority and, if a breach “is likely to result in a high risk to the rights and freedoms of individuals,” to the affected data subjects.

Failure to comply with the GDPR can result in substantial potential liability, including steep penalties imposed by regulators, which can extend to a company’s vendors and service providers. Penalties vary depending on the type of violation, but can be as high as 20 million euros or 4% of a company’s worldwide annual turnover. Additionally, the GDPR grants individuals the ability to sue if harmed by a company’s violations.