The European Union’s General Data Protection Regulation (“GDPR”) goes into effect in just a few weeks on May 25, 2018.

GDPR is a data protection and privacy law that aims to protect the data of all individuals within the European Union. You may be wondering why this would be a concern for a US-based company, especially since the US has its own state privacy laws. Well, if a US-based company has access or uses the personal data of an individual in the EU, whether the related business transaction is conducted in the US or elsewhere, that company will likely be subject to GDPR. (It should be noted that there are a few exemptions.)

Under GDPR, it is necessary for companies to show that personal data of EU individuals is properly secured, and consent to have and/or use such data has been obtained. Additionally, the EU individuals must be informed of how their personal data is being used, to whom it is being shared with, and how they can withdraw consent.   These requirements are much more stringent than the directive it is replacing, the 1995 Data Protection Directive. Since 1995, the use of the internet and the need for privacy and data security has grown tremendously which leads to why this new law has been enacted.

GDPR goes into effect on May 25, 2018, and companies subject to GDPR must ensure that they are in compliance. Additionally, companies using external sources, as data processors, must also ensure that such data processors are in compliance with GDPR. Under GDPR, both data controllers and data processors must be in compliance with GDPR and are both required to take action in the event of a data breach. Should a data breach occur, under GDPR, both the data controller and the data processor are required to notify the governing authorities and individuals whose data has been exposed.

Should the data controller and/or the data processor fail to comply with GDPR, a significant fine could be assessed. The fine for failure to comply is up to 4% of annual global sales/turnover or €20 million, whichever is greater.  With such steep penalties for failure to comply, it is in a company’s best interest to ensure compliance with the requirements under GDPR by May 25, 2018. As mentioned earlier, companies must also ensure that businesses that share regulated data, within their control, are also in compliance and have adequate controls and policies to ensure continued compliance.

Should you have questions or require assistance with GDPR compliance, please contact AAG at 845-470-2027or visit our website,


AAG offers business and legal services such as business organization/formation, strategic planning, and continued legal and operational support as your business develops. AAG can also assist with legal overflow projects, or serve as your external in-house counsel to assist you with your day to day legal and business operational needs.

For more information, please contact AAG at 845-470-2027 or visit our website at