US Companies listen up: EU GDPR is coming fast and it applies to you
Here’s what you need to know:
Does EU General Data Protection Regulation (GDPR) apply to my company?
GDPR will apply to your company if:
- your company has an establishment in the EU and it processes personal data in the context of the activities of that establishment (whether or not the processing takes place in the EU); or
- your company has no establishment in the EU but it processes personal data of data subjects who are in the EU, if the activities relate to:
- offering of goods or services to those data subjects in the EU (whether paid for or free of charge); or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
Number one above is no different from the current European Data Protection Directive, except that GDPR applies to both data controllers and data processors. So if your company is caught by the Directive, it will be subject to GDPR.
Number two above is new. Many US companies that are not caught by the current EU data protection regime will be subject to GDPR because of this provision.
What does offering goods or services and monitoring behaviour mean?
For the offering of goods or services, it needs to be apparent that the US company envisages offering these goods or services to data subjects in one or more EU Member States. Relevant factors include use of language and/or currency commonly used in one or more EU Member State on your website and use of a country specific domain name such as .ie for Ireland.
As for monitoring the behaviour of EU data subjects, this includes tracking individuals on the internet for profiling purposes such as via cookies.
What about US processors?
US data processors take note: GDPR applies directly to data processors. If you are a processor, you will be subject to GDPR if you meet the above criteria. As an example, US cloud providers offering their services directly to EU data subjects (rather than to EU corporate data controllers) will need to comply with GDPR when processing their personal data.
My company is subject to GDPR. What should it do now?
1. Your company should consider what steps (if any) it could take to avoid being caught by GDPR.
Online businesses could take steps to avoid orders being placed on their websites by EU data subjects if the EU is not a core market. Using anonymised data (outside of GDPR scope) rather than personal data may be another option.
2. If avoiding GDPR is not an option for your company, it should identify the personal data of EU data subjects that it processes and make a business decision on the level of GDPR compliance it wishes to achieve.
It should then identify and implement the necessary steps to achieve its desired level of compliance by 25 May 2018, when GDPR comes into force.
Your company should also consider whether it will have one set of processes and controls for all personal data it processes (and not just that of EU data subjects) or whether it will have separate processes and controls for personal data of EU data subjects.
3. Appoint an EU representative or take steps to create an establishment in the EU.
US companies caught by GDPR who do not have an establishment in the EU will be required to designate a representative in the EU, with limited exceptions. The representative will need to represent the US company in dealings with the relevant supervisory authority and be the point of contact for data subjects.
What happens if my company doesn’t comply with GDPR?
The levels of fines that can be imposed under GDPR are significant. A fine of up to €20 million or 4% of annual worldwide turnover, whichever is higher, may be imposed for more serious breaches such as breach of any data subjects’ rights. A fine of up to €10 million or 2% of annual worldwide turnover, whichever is the higher, will apply to less serious breaches such as failure to maintain a data processing register.
Individuals who have suffered material or non-material damage as a result of breach of GDPR can also sue the controller or processor for compensation for the damage suffered.
How will GDPR be enforced against us as a US company?
There are questions about how supervisory authorities will enforce GDPR directly against US companies without an establishment in the EU. The general feeling is it will be very difficult. Supervisory authorities may be forced to raise enforcement proceedings against the EU representatives appointed by US companies.
Now is the time to act.
Your business should be assessing its interaction with personal data of EU data subjects and how GDPR will impact on it and the sector in which it operates. Given the level of change that may be required to comply with GDPR, May 2018 could arrive far sooner than anticipated.
How we can help
Constraints on budgets and resource coupled with the challenges of maintaining competitive advantage mean that, in reality, many businesses are not seeking full ‘gold-plated’ GDPR compliance but are directing their attention to achieving a level of compliance that minimises the risks of damage to customer relationships, negative brand impact and enforcement action by regulators (fines). We provide commercially-focused advice that assists your company to achieve a defensible position under GDPR in a business-enabling way.