The European Union’s General Data Protection Regulation (GDPR) is a privacy law that protects the personal information of individuals (or as the law refers to them, “data subjects”) in the European Union (EU).
Although the GDPR is a European regulation, the law is extraterritorial in scope and applies to any business that handles the personal data of EU data subjects. This includes US-based companies that have no physical presence in the EU but control or process the personal data of EU customers.
The GDPR does not necessarily apply to all US businesses with a European presence, nor are the obligations the same for all businesses to which the GDPR applies. But if it does apply to your business, you need to have a clear understanding about your legal obligations because GDPR penalties can be steep.
Overview of the GDPR
Effective May 2018, the GDPR is one of the world’s strongest data protection regulations and has served as model legislation for similar laws that have since been enacted around the globe, including here in the United States. For example, the California Consumer Privacy Act, the Colorado Privacy Act, and the Utah Consumer Privacy Act are modeled on the GDPR.
One of the most notable aspects of the GDPR is that it applies to organizations that are not located in the EU. The main focus of the GDPR is to protect the personal data of people living in the EU. Their data can easily end up in the possession of a US-based company if that company’s website tracks and analyzes EU visitors. And if the company stores or uses the personal data of an EU data subject, it could have obligations under the GDPR.
This begs the question of how, exactly, the GDPR defines “personal data.” The definition is broad and covers any information that can identify an individual. Examples of personal data include a person’s name, identification number, IP address, email address, home address, and location data.[1] Context is key: even if a piece of data, by itself, cannot identify someone, it may still be considered personal data if it can identify the person together with other information about them.
Is My Business Subject to the GDPR?
The GDPR sometimes applies to organizations based outside the EU. Article 3.2 of the GDPR describes[2] two scenarios in which non-EU companies may have to comply with the law:
- The company offers goods and services to people in the EU. Occasional instances of an EU data subject visiting your US website may not meet this definition, but if you specifically cater to EU customers (g., your website includes offerings described in European languages and has Euro pricing), it is more likely that the GDPR applies to you.
- You monitor the behavior of website visitors. Companies that use marketing tools such as tracking cookies that gather data from website visitors fall within the scope of the GDPR. If you do not specifically cater to EU subjects but somebody from an EU country occasionally visits your site, it is less likely—but not impossible—that European regulators will scrutinize your tracking activities.
The GDPR also only applies to “professional or commercial activity,” and not to “purely personal or household activity.” There is a second exception for organizations with fewer than 250 employees. The exemption is partial and applies only to a company’s record-keeping obligations regarding data processing activities.[3]
Data Controllers versus Data Processors
Other key terms used throughout the GDPR are data “controller” and data “processor.” Processing personal data covers activities such as gathering, collecting, and storing personal data, while controlling personal data involves determining what to do with personal data that has been processed. A company that decides “why” and “how” the personal data should be processed is the data controller.[4]
For example, Company A collects personal data from its customers to sell them products. Company A is a controller. Company A provides the data it has collected to payment and shipping vendors. These vendors are processors.
A data processor is typically a third party (such as a cloud storage company or IT services company) external to a controller that processes personal data on behalf of the controller. However, there are cases where a company qualifies as both a controller and a processor.
Whether you are a controller or processor (or both) determines in part your specific legal obligations under the GDPR. Controllers generally have greater responsibilities—and liabilities—than processors under the GDPR, but their actual duties vary.
For example, controllers must have a lawful basis for collecting data and processors must keep records of their processing activities. Both controllers and processors must implement GDPR-compliant security practices and may have to appoint a data protection officer (DPO), to name just a couple of the obligations that controllers and processors share. The GDPR requires controllers that rely on third parties to process personal data to use a contract called a data processing agreement.
How to Maintain GDPR Compliance
GDPR.eu,[5] an official EU website for GDPR compliance, recommends that US companies take the following steps:
- Conduct an information audit to determine if you are subject to the GDPR. Hint: if you process the personal information of EU data subjects, and these processing activities are related to offering them goods and services, the GDPR probably applies to you.
- Establish a legal basis for processing EU subject data. For most companies, this means obtaining consent from data subjects to collect and use their data. Processing data based on consent, though, comes with extra duties. Consent must be freely given, specific, informed, unambiguous, and revocable. Obtaining GDPR-compliant consent entails having a privacy notice that informs subjects about how their data are being used.
- Conduct a data protection impact assessment to understand data security and privacy risks and implement risk mitigation procedures, such as using encryption and other safeguards. Article 25 of the GDPR mandates “data protection by design and default.”
- Have a data processing agreement with your vendors. Contracts with your email vendor, cloud storage provider, and other third parties that handle the personal data you collect are required by the GDPR. These contracts define the rights and responsibilities of each party. Data controllers are responsible for creating the contract, which must contain certain clauses to be GDPR-compliant.
- Determine if you need to name a GDPR DPO. A DPO is a manager in charge of responding to data subject comments and questions, monitoring an organization’s GDPR compliance, performing data impact assessments, and more.[6] Not every organization requires a DPO.
- Understand your duties in the event of a data breach. These duties include reporting a data breach within seventy-two hours to the supervisory authority and communicating the data breach to impacted subjects.
- Follow cross-border transfer laws. The state of EU-US data transfers is currently in flux, with the previous legal framework invalidated by a European court. US and EU leaders are working on a new agreement, but in the meantime, transatlantic data flow is legally risky. Businesses that rely on it should consider using standard contractual clauses to ensure that European personal data sent to the US enjoy GDPR-like levels of protection.
Businesses that market their services to EU citizens and residents should already have updated their privacy policy, website terms and conditions, and internal policies about data handling a few years ago when the GDPR took effect. It never hurts to review your policies, however. If you are new to the European market, you should take steps to ensure you comply with the GDPR.
Failure to comply with the GDPR can result in controllers and processors being hit with a fine of up to €20 million, or 4 percent of annual global turnover, whichever is higher. Big GDPR fines have been issued to US companies,[7] and small and small and mid-size enterprises (SMEs) are not immune. The GDPR Enforcement Tracker website has cataloged thousands of GDPR fines, most of which have been against SMEs.[8] Analysts say that regulators are set to step up GDPR enforcement[9].
Talk to a Lawyer
The GDPR set the standard for data privacy legislation, and many other jurisdictions have since followed suit. Your company should take steps to comply with the GDPR and any laws like it, including those set to take effect in the United States in 2023. Instead of looking at compliance as an added legal burden, look at it as a way to build trust between your brand and your customers, as consumers worldwide demand greater control over their personal information.
For help with your data protection compliance policies, reach out to our office to schedule a meeting.
[1] What is personal data? European Comm’n, https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en (last visited Dec. 2, 2022).
[2] Does the GDP apply to companies outside of the EU? GDPR.EU, https://gdpr.eu/companies-outside-of-europe/ (last visited Dec. 2, 2022).
[3] Article 30 GDPR. Records of processing activities, GDPR Text, https://gdpr-text.com/read/article-30/ (last visited Dec. 2, 2022).
[4] What is a data controller or a data processor? European Comm’n, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en (last visited Dec. 2, 2022).
[5] GDPR compliance checklist for US companies, GDPR.eu, https://gdpr.eu/compliance-checklist-us-companies/ (last visited Dec. 2, 2022).
[6] Everything you need to know about the GDPR data protection officer (DPO), GDPR.EU, https://gdpr.eu/data-protection-officer/ (last visited Dec. 2, 2022).
[7] 30 Biggest GDPR Fines So Far (2020, 2021, 2022), Tessian (May 5, 2022), https://www.tessian.com/blog/biggest-gdpr-fines-2020/.
[8] GDPR Enforcement Tracker, https://www.enforcementtracker.com/ (last visited Dec. 2, 2022).
[9] GDPR: Fines increased by 40% last year, and they’re about to get a lot bigger, ZDNet.com (Jan. 19. 2021), https://www.zdnet.com/article/gdpr-fines-increased-by-40-last-year-and-theyre-about-to-get-a-lot-bigger/.