Publications
May 24, 2018 Article

Primer on Compliance with the General Data Protection Regulation (“GDPR”) for U.S. Business

GDPR Alert

The European Union (the “EU”) adopted the General Data Protection Regulation (“GDPR”) to establish new, stringent, and uniform privacy and data security regulations.  While the primary impact will be on EU-based companies, the GDPR also applies to firms outside the EU that do business within the EU or process the personal data of EU residents, regardless of where that data is processed.  The GDPR takes effect on May 25, 2018.

Key Underlying Principle

A key principle underlying the GDPR is that the ownership of personal data is deemed to remain with the individual data subject and not with businesses collecting, using, or processing that individual’s data. This is the opposite of the typical US perspective that businesses own and control personal data provided to them. 

Under the GDPR, “personal data” is broadly defined as “any information relating to an identified or identifiable natural person” such as a name, identification number, location data (e.g., address), an online identifier or information about the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.  The term “processing” is defined broadly to include collection, recording, organization, structuring, storage, or use of personal data. 

Application of the GDPR to Businesses in the United States

The GDPR is not limited only to EU businesses.  It can apply even where non-EU businesses maintain no EU facilities and have no EU employees.  Nor is the GDPR limited only to consumer transactions.  It applies to business-to-business transactions where any EU resident’s personal data is processed.  The GDPR applies regardless of the size of a business; small businesses are not exempt. 

Where a non-EU business offers goods or services for sale in the EU and collects the personal data of EU residents while doing so, the GDPR applies.  The GDPR also applies to any US business that collects, stores, or otherwise processes EU residents’ personal data even if the business itself does not offer goods or services for sale in the EU.  According to Article 3 of the GDPR:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

Because the GDPR is new, no enforcement history demonstrates how EU regulators may attempt to enforce it against non-EU businesses, or what activities potentially within the scope of the GDPR may be deemed de minimis even though technically subject to the GDPR.  Because European regulators lack jurisdiction to enter US offices, US businesses with a facility or affiliate in the EU are at greater risk of enforcement for non-compliance than businesses that sell into the EU but have no offices, employees, or affiliates within the EU.  US businesses that engage in substantial sales activities in the EU or collect particularly sensitive personal data (e.g., medical information) are also at greater risk.

How to Comply with GDPR

To comply with GDPR, a firm should understand what EU personal data is within its possession, develop a plan to comply with the GDPR, execute that plan, and then audit, monitor and document compliance. 

Step One: Assess What’s Going on with EU Personal Data.  To comply with the GDPR, a business needs to get a handle on personal data in its possession, custody, or control.  This likely requires an information audit and data risk assessment.  What type of customer and employee personal data does the firm maintain?  Does any of that data concern EU residents?  How is that data shared or transferred?  How is data used or processed?  Who has access to data?  How is data secured?  How long are different categories of data kept before deletion?  What do contracts with vendors or others say about data?  A lead person for GDPR compliance should be designated and may be required by the GDPR under certain circumstances, such as if the business processes any of the designated “special categories of data.”  A GDPR compliance team may include legal, human resources, information technology, and marketing personnel.

Step Two: Plan.  After an information audit has been undertaken, the business should develop a plan to comply with GDPR tailored to its personal data collection practices, needs, and business model.  There is no one-size-fits-all approach.  A plan may range from limiting collection or processing of EU residents’ personal data to exclude the business from the reach of the GDPR, to bringing the business into full compliance with the GDPR for all personal data, or to focus only on EU residents’ personal data (if such a narrow focus is feasible).  The primary elements of the plan should include:

(A) review of privacy policies and notices to ensure that their contents are clear, concise, and easily understandable and that the substance of the policies and notices comply with GDPR.  Among other things, policies should address rights of access, rectification, erasure, data portability, and to object to certain types of personal data processing;

(B) review of consent practices and policies to ensure that consent related to personal data is obtained in compliance with GDPR;

(C) ensuring that personal data is subject to an “appropriate level of security” including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage. The “appropriate level of security” takes into account several factors, among them the state of the art; the costs of implementation; the nature, scope, context, and purposes of the processing; and the risks and severity of harm to the data subjects, and may include pseudonymization and encryption;

(D) ensuring that vendors, suppliers, dealers, and affiliates with access to personal data comply with GDPR and obtain appropriate indemnification and warranties mitigating risk in the event any third-party with such access fails to comply; and

(E) a plan for notification and response in the event of a data breach.

As part of the plan, US-based businesses should also consider how they will be able to demonstrate GDPR compliance with respect to transfers of data from the EU to the US. Current options include self-certification with the Privacy Shield framework, execution of the EU standard contractual clauses regarding data processing, and adoption of binding corporate rules.

Step Three: Implement.  The plan should be implemented.  This may require budgeting for legal, compliance or IT services.  The plan may take a phased approach to prioritize high-risk areas first. 

Step Four: Audit. The business should then audit and monitor compliance.  Documentation should be retained demonstrating that the firm complies with the GDPR.  Evidence of compliance may be requested by regulators in the event of enforcement or by third-party business partners.

Conclusion

The GDPR is complex, broad and here to stay.  U.S. businesses ignore it at their peril.

For more information on GDPR, contact Sigmund D. Schutz at [email protected] or Rue K. Toland at [email protected].

Firm Highlights

Publication

How to comply with Maine’s new paid leave law

Fittingly, “Vacation Land” is among a small contingent of states that have a paid leave law on the books.  Maine, however, is somewhat unique in that the paid leave afforded under the new law...

News

Preti Flaherty Adds Six to Environmental and Litigation Practice Groups

Preti Flaherty is pleased to announce the arrival of six new members to the firm: Katherine L. Oaks, Kevin C. Osantowski, Laura Lee Barry Wommack, Nicholas A. Dube, Martin C. Topol, and Allaina Murphy...

Publication

Legislative Alert: 2020 Election and State House Update

(Current as of 11/4/20 at 2:30 PM EST) Presidential Maine is one of two states in the country that splits its electoral votes. As in 2016, this turned Maine’s more rural 2nd Congressional District...

Publication

Legislative Alert: House Democratic and Senate Republican Leadership Elections

Senate Republicans held their leadership votes on Tuesday, November 10 th . As expected, Senator Jeff Timberlake was elected as Republican Leader. Both Senator Matt Pouliot and Senator Trey Stewart ran to be the...

Press Coverage

Diverse Lawyers Matter: Maine’s Legal Community Tackles Racism in the Profession

Mainebiz surveys local attorneys on the ongoing lack of diversity in the legal profession, how public opinion has changed in the last few years in confronting the issue, some of the reasons this problem persists...

Press Coverage

Trump Legal Team Pursues Contradictory Strategy

As the Trump campaign continues to present court challenges to electoral procedures, the Portland Press Herald interviews several Maine attorneys, including Matt Warner of Preti Flaherty, on the merits of the cases and their...

News

Twenty-Three Preti Flaherty Attorneys Selected for Inclusion in 2020 Super Lawyers

Twenty-three Preti Flaherty attorneys have been selected for recognition by Super Lawyers , including thirteen Rising Stars. Super Lawyers rates outstanding lawyers throughout the United States in more than 70 practice areas. Only five...

News

Preti Flaherty Joins Maine Justice Foundation for Racial Justice Fund

As part of our ongoing efforts to promote racial justice, Preti Flaherty has joined with the Maine Justice Foundation and other local businesses and philanthropists to create the Racial Justice Fund . Each of the 22 founders...

News

U.S. News – Best Lawyers Ranks Preti Flaherty Among 2021 Best Law Firms

Preti Flaherty has been named among the 2021 Best Law Firms by the U.S. News – Best Lawyers rankings. To be eligible for ranking, a law firm must have at least one attorney named...

Publication

Legislative Alert: Legislative Leadership Election Update

The Senate Democratic Caucus met on November 5 th and, as expected, re-elected their current leadership team. Thus Senate President Troy Jackson (D-Aroostook), Senate Majority Leader Nate Libby (D-Androscoggin), and Senate Majority Assistant Leader...