February 2018 Bar Bulletin
By Alex Modelski and Sameena Habib
The General Data Privacy Regulation (GDPR), effective on May 25, replaces the 1995 European Union (EU) Privacy Directive. The GDPR threatens hefty penalties for non-compliance — up to 20 million Euros (23.5 million US dollars) or 4 percent of annual global revenue, whichever is greater.
The GDPR applies to U.S. companies that are “controllers,” e.g., U.S. SaaS (“software as a service”) companies collecting personally identifiable data from EU residents, or “processors,” e.g., U.S. vendors processing such data on behalf of controllers, whose processing activities relate to either the offering of goods or services (even...