May 24, 2018 Article

Primer on Compliance with the General Data Protection Regulation (“GDPR”) for U.S. Business

GDPR Alert

The European Union (the “EU”) adopted the General Data Protection Regulation (“GDPR”) to establish new, stringent, and uniform privacy and data security regulations.  While the primary impact will be on EU-based companies, the GDPR also applies to firms outside the EU that do business within the EU or process the personal data of EU residents, regardless of where that data is processed.  The GDPR takes effect on May 25, 2018.

Key Underlying Principle

A key principle underlying the GDPR is that the ownership of personal data is deemed to remain with the individual data subject and not with businesses collecting, using, or processing that individual’s data. This is the opposite of the typical US perspective that businesses own and control personal data provided to them. 

Under the GDPR, “personal data” is broadly defined as “any information relating to an identified or identifiable natural person” such as a name, identification number, location data (e.g., address), an online identifier or information about the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.  The term “processing” is defined broadly to include collection, recording, organization, structuring, storage, or use of personal data. 

Application of the GDPR to Businesses in the United States

The GDPR is not limited only to EU businesses.  It can apply even where non-EU businesses maintain no EU facilities and have no EU employees.  Nor is the GDPR limited only to consumer transactions.  It applies to business-to-business transactions where any EU resident’s personal data is processed.  The GDPR applies regardless of the size of a business; small businesses are not exempt. 

Where a non-EU business offers goods or services for sale in the EU and collects the personal data of EU residents while doing so, the GDPR applies.  The GDPR also applies to any US business that collects, stores, or otherwise processes EU residents’ personal data even if the business itself does not offer goods or services for sale in the EU.  According to Article 3 of the GDPR:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

Because the GDPR is new, no enforcement history demonstrates how EU regulators may attempt to enforce it against non-EU businesses, or what activities potentially within the scope of the GDPR may be deemed de minimis even though technically subject to the GDPR.  Because European regulators lack jurisdiction to enter US offices, US businesses with a facility or affiliate in the EU are at greater risk of enforcement for non-compliance than businesses that sell into the EU but have no offices, employees, or affiliates within the EU.  US businesses that engage in substantial sales activities in the EU or collect particularly sensitive personal data (e.g., medical information) are also at greater risk.

How to Comply with GDPR

To comply with GDPR, a firm should understand what EU personal data is within its possession, develop a plan to comply with the GDPR, execute that plan, and then audit, monitor and document compliance. 

Step One: Assess What’s Going on with EU Personal Data.  To comply with the GDPR, a business needs to get a handle on personal data in its possession, custody, or control.  This likely requires an information audit and data risk assessment.  What type of customer and employee personal data does the firm maintain?  Does any of that data concern EU residents?  How is that data shared or transferred?  How is data used or processed?  Who has access to data?  How is data secured?  How long are different categories of data kept before deletion?  What do contracts with vendors or others say about data?  A lead person for GDPR compliance should be designated and may be required by the GDPR under certain circumstances, such as if the business processes any of the designated “special categories of data.”  A GDPR compliance team may include legal, human resources, information technology, and marketing personnel.

Step Two: Plan.  After an information audit has been undertaken, the business should develop a plan to comply with GDPR tailored to its personal data collection practices, needs, and business model.  There is no one-size-fits-all approach.  A plan may range from limiting collection or processing of EU residents’ personal data to exclude the business from the reach of the GDPR, to bringing the business into full compliance with the GDPR for all personal data, or to focus only on EU residents’ personal data (if such a narrow focus is feasible).  The primary elements of the plan should include:

(A) review of privacy policies and notices to ensure that their contents are clear, concise, and easily understandable and that the substance of the policies and notices comply with GDPR.  Among other things, policies should address rights of access, rectification, erasure, data portability, and to object to certain types of personal data processing;

(B) review of consent practices and policies to ensure that consent related to personal data is obtained in compliance with GDPR;

(C) ensuring that personal data is subject to an “appropriate level of security” including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage. The “appropriate level of security” takes into account several factors, among them the state of the art; the costs of implementation; the nature, scope, context, and purposes of the processing; and the risks and severity of harm to the data subjects, and may include pseudonymization and encryption;

(D) ensuring that vendors, suppliers, dealers, and affiliates with access to personal data comply with GDPR and obtain appropriate indemnification and warranties mitigating risk in the event any third-party with such access fails to comply; and

(E) a plan for notification and response in the event of a data breach.

As part of the plan, US-based businesses should also consider how they will be able to demonstrate GDPR compliance with respect to transfers of data from the EU to the US. Current options include self-certification with the Privacy Shield framework, execution of the EU standard contractual clauses regarding data processing, and adoption of binding corporate rules.

Step Three: Implement.  The plan should be implemented.  This may require budgeting for legal, compliance or IT services.  The plan may take a phased approach to prioritize high-risk areas first. 

Step Four: Audit. The business should then audit and monitor compliance.  Documentation should be retained demonstrating that the firm complies with the GDPR.  Evidence of compliance may be requested by regulators in the event of enforcement or by third-party business partners.

Conclusion

The GDPR is complex, broad and here to stay.  U.S. businesses ignore it at their peril.

For more information on GDPR, contact Sigmund D. Schutz at [email protected] or Rue K. Toland at [email protected].

Firm Highlights

Publication

Maine Workers' Comp Alert: WCB Revises Fee Schedule

The Maine Workers' Compensation Board has completed the annual update of its Medical Fee Schedule. Appendix II (professional fees) and Appendix IV (outpatient facility fees) have been updated in accordance with Title 39-A M.R.S.A...

Event

The Crisis of the She-cession and What Employers Can Do to Address It

Preti Flaherty is proud to partner with our friends at KMA Human Resources Consulting for their Lunch and Legal Conversations webinar series, moderated by Rhoda McVeigh, Director of Consulting Services at KMA. Each program...

News

2021 Maine Diversity Summer Associate Program Expands to Include Additional Law Firms and Corporate Partners

Following a highly successful inaugural year, the three founding law firms of the Maine D1L Diversity Summer Associate program and the University of Maine School of Law welcome all of the new participating law...

Press Coverage

Should workers wary of COVID-19 vaccines be forced to take one for the team?

As COVID-19 vaccinations become more readily available, should employers be legally allowed to mandate vaccination for all employees? Maine employers are wrestling with the choice of whether or not to mandate employees be vaccinated...

News

Attorney Bodie B. Colwell Elected IWIRC Management Committee Vice Director of Social Media

Preti Flaherty is proud to announce that attorney Bodie B. Colwell has been elected to the Management Committee of the International Women's Insolvency & Restructuring Confederation (IWIRC), where, effective January 1, 2021, she will serve...

Event

The Future of Work: Assessing the Long-Term Impacts of COVID in the Workplace

Preti Flaherty is proud to partner with our friends at KMA Human Resources Consulting for their Lunch and Legal Conversations webinar series, moderated by Rhoda McVeigh, Director of Consulting Services at KMA. Each program...

Publication

Governor Janet Mills Releases Maine Supplemental and Biennial Budgets

Governor Mills released both the Supplemental and the Biennial Budgets today. The Revenue Forecasting Committee has estimated a $650 million revenue shortfall in 2021 – 2023 combined. In his presentation to the Appropriations Committee...

Press Coverage

Maine blazes workplace trail with earned paid leave requirement

In March of 2019, Maine became the first state in the nation to adopt an earned paid leave law, meaning that for every 40 hours worked, an employee banks one hour of earned paid...

Publication

New Eviction Restrictions for Portland, Maine

On November 3, 2020, voters in Portland approved an amendment to the Code of Ordinances which will implement rent control and tenant protections.  The new Sec. 6-236 of the Code of Ordinances extends the...

News

Preti Flaherty Partnership Announces Promotion of Moppin, Rideout, White to Partner

Preti Flaherty is pleased to announce that the firm’s partnership has named three new partners: Sara N. Moppin, Laura A. Rideout, and Emily T. White.  Each attorney stands out as a distinguished practitioner within...