May 24, 2018 Article

Primer on Compliance with the General Data Protection Regulation (“GDPR”) for U.S. Business

GDPR Alert

The European Union (the “EU”) adopted the General Data Protection Regulation (“GDPR”) to establish new, stringent, and uniform privacy and data security regulations.  While the primary impact will be on EU-based companies, the GDPR also applies to firms outside the EU that do business within the EU or process the personal data of EU residents, regardless of where that data is processed.  The GDPR takes effect on May 25, 2018.

Key Underlying Principle

A key principle underlying the GDPR is that the ownership of personal data is deemed to remain with the individual data subject and not with businesses collecting, using, or processing that individual’s data. This is the opposite of the typical US perspective that businesses own and control personal data provided to them. 

Under the GDPR, “personal data” is broadly defined as “any information relating to an identified or identifiable natural person” such as a name, identification number, location data (e.g., address), an online identifier or information about the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.  The term “processing” is defined broadly to include collection, recording, organization, structuring, storage, or use of personal data. 

Application of the GDPR to Businesses in the United States

The GDPR is not limited only to EU businesses.  It can apply even where non-EU businesses maintain no EU facilities and have no EU employees.  Nor is the GDPR limited only to consumer transactions.  It applies to business-to-business transactions where any EU resident’s personal data is processed.  The GDPR applies regardless of the size of a business; small businesses are not exempt. 

Where a non-EU business offers goods or services for sale in the EU and collects the personal data of EU residents while doing so, the GDPR applies.  The GDPR also applies to any US business that collects, stores, or otherwise processes EU residents’ personal data even if the business itself does not offer goods or services for sale in the EU.  According to Article 3 of the GDPR:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

Because the GDPR is new, no enforcement history demonstrates how EU regulators may attempt to enforce it against non-EU businesses, or what activities potentially within the scope of the GDPR may be deemed de minimis even though technically subject to the GDPR.  Because European regulators lack jurisdiction to enter US offices, US businesses with a facility or affiliate in the EU are at greater risk of enforcement for non-compliance than businesses that sell into the EU but have no offices, employees, or affiliates within the EU.  US businesses that engage in substantial sales activities in the EU or collect particularly sensitive personal data (e.g., medical information) are also at greater risk.

How to Comply with GDPR

To comply with GDPR, a firm should understand what EU personal data is within its possession, develop a plan to comply with the GDPR, execute that plan, and then audit, monitor and document compliance. 

Step One: Assess What’s Going on with EU Personal Data.  To comply with the GDPR, a business needs to get a handle on personal data in its possession, custody, or control.  This likely requires an information audit and data risk assessment.  What type of customer and employee personal data does the firm maintain?  Does any of that data concern EU residents?  How is that data shared or transferred?  How is data used or processed?  Who has access to data?  How is data secured?  How long are different categories of data kept before deletion?  What do contracts with vendors or others say about data?  A lead person for GDPR compliance should be designated and may be required by the GDPR under certain circumstances, such as if the business processes any of the designated “special categories of data.”  A GDPR compliance team may include legal, human resources, information technology, and marketing personnel.

Step Two: Plan.  After an information audit has been undertaken, the business should develop a plan to comply with GDPR tailored to its personal data collection practices, needs, and business model.  There is no one-size-fits-all approach.  A plan may range from limiting collection or processing of EU residents’ personal data to exclude the business from the reach of the GDPR, to bringing the business into full compliance with the GDPR for all personal data, or to focus only on EU residents’ personal data (if such a narrow focus is feasible).  The primary elements of the plan should include:

(A) review of privacy policies and notices to ensure that their contents are clear, concise, and easily understandable and that the substance of the policies and notices comply with GDPR.  Among other things, policies should address rights of access, rectification, erasure, data portability, and to object to certain types of personal data processing;

(B) review of consent practices and policies to ensure that consent related to personal data is obtained in compliance with GDPR;

(C) ensuring that personal data is subject to an “appropriate level of security” including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage. The “appropriate level of security” takes into account several factors, among them the state of the art; the costs of implementation; the nature, scope, context, and purposes of the processing; and the risks and severity of harm to the data subjects, and may include pseudonymization and encryption;

(D) ensuring that vendors, suppliers, dealers, and affiliates with access to personal data comply with GDPR and obtain appropriate indemnification and warranties mitigating risk in the event any third-party with such access fails to comply; and

(E) a plan for notification and response in the event of a data breach.

As part of the plan, US-based businesses should also consider how they will be able to demonstrate GDPR compliance with respect to transfers of data from the EU to the US. Current options include self-certification with the Privacy Shield framework, execution of the EU standard contractual clauses regarding data processing, and adoption of binding corporate rules.

Step Three: Implement.  The plan should be implemented.  This may require budgeting for legal, compliance or IT services.  The plan may take a phased approach to prioritize high-risk areas first. 

Step Four: Audit. The business should then audit and monitor compliance.  Documentation should be retained demonstrating that the firm complies with the GDPR.  Evidence of compliance may be requested by regulators in the event of enforcement or by third-party business partners.


The GDPR is complex, broad and here to stay.  U.S. businesses ignore it at their peril.

For more information on GDPR, contact Sigmund D. Schutz at [email protected] or Rue K. Toland at [email protected].

Firm Highlights



Our country and our communities are suffering and in turmoil due to the racial injustices that have occurred for centuries and are still happening all around us today. It is difficult to comprehend and...

Press Coverage

Officer-involved Shootings Video - Maine Behind the Curve on Public Access to Information

More than three months after officers were involved in a fatal shooting of a Minot, Maine, resident, the Androscoggin County Sheriff's Office and the Office of the Attorney General continue to deny requests to...

Press Coverage

As More States Release COVID-19 Cases by Town, Maine Says It Could Take 6 Months

As more states continue to release information on the number and distribution of coronavirus cases, officials from Maine's public health agency claim that making tallies available to the public under the state's Freedom of...

Press Coverage

Maine drops residency requirement for recreational marijuana businesses

Since Mainers voted to pass the Maine Marijuana Legalization Act in 2016, lawmakers have been wrestling with how to regulate sales. Last week, recreational marijuana businesses in Maine cleared a major hurdle to operation...


Maine Workers' Comp Alert: WCB Transition to In-Person Hearings Likely to Occur No Sooner Than August 2020; Section 312 IME’s Have Resumed

A conference with Maine Workers' Compensation Board Executive Director John Rohde was held last week to discuss the transition to in-person hearings at the WCB. The WCB Subcommittees also met to discuss recent developments...


Legislative Alert: Governor’s Economic Recovery Committee Update

The Governor’s Economic Recovery Committee met on Friday June 26 th to hear reports from the Chairs of all six subcommittees. In the reporting on Friday the biggest monetary ask was from the Infrastructure...


Preti Flaherty COVID-19 Resources

In response to the ongoing COVID-19 pandemic, Preti Flaherty's attorneys have maintained a constant stream of the most up-to-date information and resources for our clients, business partners, and others struggling to navigate these complex...


Preti Flaherty Attorney William Saturley Named Among America’s Top 100 “Bet-the-Company Litigators” for 2020

Preti Flaherty is proud to announce that attorney William Saturley has been selected for inclusion on the list of America’s Top 100 “Bet-the-Company Litigators” for 2020. America’s Top 100 recognizes the most qualified and...


Eighteen Preti Flaherty Attorneys Selected as Chambers USA Leaders in Their Field

Eighteen Preti Flaherty attorneys and five practice groups have been selected for inclusion in the 2020 Chambers USA Guide to America's Leading Lawyers for Business , the highly regarded directory of leading attorneys and...


Contractor's Guide to Mitigating Risks in the AIA A201-2017 General Conditions

The AIA A201-2017 is generally a well-understood contract document and is used in a significant number of construction projects each year. While this standard contract covers most risks, there are a number of areas...