GDPR Day is the 25th of May 2018, the day Europe will unleash data protection regulations on corporate America. The days are moving fast; be prepared! While a Pulse survey (January 2017) from PwC suggested that 71% of large multinationals had begun preparations for GDPR and 6% had completed the work, I suspect that most US companies have no idea what could greet them in the new year.


Few US companies are aware that European lawmakers have fretted over data protection for decades, while the US gave not a damn. The Council of Europe signed the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,” in 1981. It was born in France, like the Statue of Liberty, and will be generously gifted to the US next year.

Unlike the Statue of Liberty, it has grown significantly. Its previous incarnation was called the Data Protection Directive 95/46/ec, and it applied to all companies operating in EU nations that stored or processed personal data.

The GDPR is stronger than its predecessor (contains new protections), broader than its predecessor (it applies to all companies), and it has sharper teeth than its predecessor.

It’s the gleaming white teeth that attract most admiration or fear.

They look like this:

  • Breaches of the lesser provisions: fines up to €10m or 2% of global annual turnover, whichever is greater.
  • Breaches of the most important provisions: fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.

Oh, the shark has pretty teeth dear, and he shows them pearly white…

Back in the Day

Back in the day, if US companies operating in Europe wanted to avoid tiresome data protection regulations, they could evade them by not storing personal data on European soil. Those who did were thus immune and made few efforts to conform to EU norms, while EU companies toed the line.

If you are wondering what qualifies as personal data according to the great white GDPR shark, it is precisely this (I’m using its own words): name, identification number, location data, online identifier, one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Whoever wrote those words was playing Pokemon and trying to catch ‘em-all. Think of the digital footprint that someone makes as they skip from here to there across their favorite Internet haunts. Whether they’re buying stuff or socializing or simply browsing out of boredom, all the data they create is related to them, and that collection of EU words probably catches it.

And now the GDPR has caught up with US corporations; it will no longer matter where personal data is held. If it’s personal data about someone residing in the EU (and also the soon-to-Brexit British, who are just as enamored of data protection as the EU they are Brexiting), then the regulations apply to your company. Consequently, violation of those regulations will cause the great white GDPR shark to flash its teeth in your direction.

The Unprepared

Some major US multinationals may well have prepared themselves for GDPR Day, but it’s likely that the vast majority US companies have not. And some companies, prepared or otherwise — I’m talking about you, Facebook — may well discover that their business model requires surgical intervention. Did I catch a headline recently announcing that Mark Zuckerberg was selling up to 75 million Facebook shares? What’s that about?

There are many aspects to GDPR that I could discuss here, but the only one I’ll mention is “consent,” and leave the rest for another blog post. Consent is a fundamental GDPR requirement: You have to ask your EU customers to give consent to their data being stored, and you also have to ask them to give their consent for every process that you run against their data. And every time you introduce any new process of that ilk, you have to ask them again.

Who does that?

(Originally published on