Primer on Compliance with the General Data Protection Regulation (“GDPR”) for U.S. Business
The European Union (the “EU”) adopted the General Data Protection Regulation (“GDPR”) to establish new, stringent, and uniform privacy and data security regulations. While the primary impact will be on EU-based companies, the GDPR also applies to firms outside the EU that do business within the EU or process the personal data of EU residents, regardless of where that data is processed. The GDPR takes effect on May 25, 2018.
Key Underlying Principle
A key principle underlying the GDPR is that the ownership of personal data is deemed to remain with the individual data subject and not with businesses collecting, using, or processing that individual’s data. This is the opposite of the typical US perspective that businesses own and control personal data provided to them.
Under the GDPR, “personal data” is broadly defined as “any information relating to an identified or identifiable natural person” such as a name, identification number, location data (e.g., address), an online identifier or information about the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The term “processing” is defined broadly to include collection, recording, organization, structuring, storage, or use of personal data.
Application of the GDPR to Businesses in the United States
The GDPR is not limited only to EU businesses. It can apply even where non-EU businesses maintain no EU facilities and have no EU employees. Nor is the GDPR limited only to consumer transactions. It applies to business-to-business transactions where any EU resident’s personal data is processed. The GDPR applies regardless of the size of a business; small businesses are not exempt.
Where a non-EU business offers goods or services for sale in the EU and collects the personal data of EU residents while doing so, the GDPR applies. The GDPR also applies to any US business that collects, stores, or otherwise processes EU residents’ personal data even if the business itself does not offer goods or services for sale in the EU. According to Article 3 of the GDPR:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
Because the GDPR is new, no enforcement history demonstrates how EU regulators may attempt to enforce it against non-EU businesses, or what activities potentially within the scope of the GDPR may be deemed de minimis even though technically subject to the GDPR. Because European regulators lack jurisdiction to enter US offices, US businesses with a facility or affiliate in the EU are at greater risk of enforcement for non-compliance than businesses that sell into the EU but have no offices, employees, or affiliates within the EU. US businesses that engage in substantial sales activities in the EU or collect particularly sensitive personal data (e.g., medical information) are also at greater risk.
How to Comply with GDPR
To comply with GDPR, a firm should understand what EU personal data is within its possession, develop a plan to comply with the GDPR, execute that plan, and then audit, monitor and document compliance.
Step One: Assess What’s Going on with EU Personal Data. To comply with the GDPR, a business needs to get a handle on personal data in its possession, custody, or control. This likely requires an information audit and data risk assessment. What type of customer and employee personal data does the firm maintain? Does any of that data concern EU residents? How is that data shared or transferred? How is data used or processed? Who has access to data? How is data secured? How long are different categories of data kept before deletion? What do contracts with vendors or others say about data? A lead person for GDPR compliance should be designated and may be required by the GDPR under certain circumstances, such as if the business processes any of the designated “special categories of data.” A GDPR compliance team may include legal, human resources, information technology, and marketing personnel.
Step Two: Plan. After an information audit has been undertaken, the business should develop a plan to comply with GDPR tailored to its personal data collection practices, needs, and business model. There is no one-size-fits-all approach. A plan may range from limiting collection or processing of EU residents’ personal data to exclude the business from the reach of the GDPR, to bringing the business into full compliance with the GDPR for all personal data, or to focus only on EU residents’ personal data (if such a narrow focus is feasible). The primary elements of the plan should include:
(A) review of privacy policies and notices to ensure that their contents are clear, concise, and easily understandable and that the substance of the policies and notices comply with GDPR. Among other things, policies should address rights of access, rectification, erasure, data portability, and to object to certain types of personal data processing;
(B) review of consent practices and policies to ensure that consent related to personal data is obtained in compliance with GDPR;
(C) ensuring that personal data is subject to an “appropriate level of security” including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage. The “appropriate level of security” takes into account several factors, among them the state of the art; the costs of implementation; the nature, scope, context, and purposes of the processing; and the risks and severity of harm to the data subjects, and may include pseudonymization and encryption;
(D) ensuring that vendors, suppliers, dealers, and affiliates with access to personal data comply with GDPR and obtain appropriate indemnification and warranties mitigating risk in the event any third-party with such access fails to comply; and
(E) a plan for notification and response in the event of a data breach.
As part of the plan, US-based businesses should also consider how they will be able to demonstrate GDPR compliance with respect to transfers of data from the EU to the US. Current options include self-certification with the Privacy Shield framework, execution of the EU standard contractual clauses regarding data processing, and adoption of binding corporate rules.
Step Three: Implement. The plan should be implemented. This may require budgeting for legal, compliance or IT services. The plan may take a phased approach to prioritize high-risk areas first.
Step Four: Audit. The business should then audit and monitor compliance. Documentation should be retained demonstrating that the firm complies with the GDPR. Evidence of compliance may be requested by regulators in the event of enforcement or by third-party business partners.
The GDPR is complex, broad and here to stay. U.S. businesses ignore it at their peril.