Articles Posted in Privacy

In my first blog post on GDPR, I talked about why some U.S. businesses have an obligation to comply with the European Union’s General Data Protection Regulation (GDPR). This post expands on the territorial scope of GDPR. Which U.S. businesses have to comply with GDPR and which don’t?

Starting first with GDPR’s direct coverage, GDPR talks about businesses established in the EU. If a business has a division or office in the EU, then it has activities covered by GDPR. Also, if a business offers goods or services in the EU (even if free), the business must comply with GDPR. In addition, if a business is monitoring the behavior of EU residents, GDPR applies. Finally, if EU law applies because of public international law, then GDPR applies there as well. This last basis will not affect most U.S. businesses. These bases for GDPR’s coverage all appear in GDPR Article 3.

In addition to direct coverage, a U.S. business may have compliance obligations indirectly because it is processing data on behalf of a company that is covered by GDPR. The customer may be a controller collecting personal data from EU residents or may itself be a data processor receiving data from a controller covered by GDPR. In either case, a controller and any downstream processor have an obligation to protect personal data collected from EU residents. They will need to make sure any U.S. businesses providing data processing services meet the standards of the kind imposed by GDPR through an agreement or other mechanism. The two most common mechanisms are “standard contractual clauses” – essentially an addendum to a service agreement that impose data protection requirements – or a U.S. business’s self-certification under the EU-U.S. Privacy Shield program of the U.S. Department of Commerce. A U.S. business providing services for a European controller or processor can import EU personal data to the U.S. if it provides assurances of an adequate level of protection under either of these two mechanisms. These U.S. businesses, then, have an indirect obligation to comply with GDPR standards.

This is my third blog post on the European Union’s General Data Protection Regulation (GDPR). For basic information about GDPR and why U.S. businesses need to watch out for GDPR, see my first blog post in the series. Or to see what GDPR says about information security requirements, see my second post.

What is the first thing your business should do in taking steps towards GDPR compliance? The short answer is you should assess your current privacy and security program.

More specifically, you will need to understand your organization, its business context, its culture, and the types of personal data it processes. You will need to understand in a detailed way what kinds of personal data the business is collecting and receiving, how it uses personal data, its practices in sharing and transmitting personal data, its retention of personal data, and its disposal of personal data. Your business should understand its entire personal data lifecycle and where personal data flow through your business’s systems. You need to assess the strengths and weaknesses of your current data protection program. Once you have made this assessment, you can plan future steps to enhance the data protection function within your business. You can then assess its effectiveness and make improvements.

The hottest data protection issue for major U.S. businesses this year is compliance with the European Union’s General Data Protection Regulation (GDPR). Even small and medium sized businesses may also need to comply with GDPR. This post covers frequently asked questions about GDPR.

What is GDPR? GDPR[1] is the European Union’s comprehensive data protection law that takes the place of 1995’s Data Protection Directive 95/46/EC.[2] By “data protection,” I am referring to both privacy and security. GDPR collects, clarifies, harmonizes, and expands data protection requirements throughout the European Economic Area (EEA). The European Economic Area consists of the 28 countries of the European Union plus Norway, Iceland, and Liechtenstein.

Why is GDPR such a concern for U.S. businesses? First, the fines for violating GDPR are potentially heavy. EU data protection authorities can fine businesses up to 20 million euros ($23.5 million) or 4 percent of their global revenues for violations, whichever is greater. Fines, moreover, will likely be based on the revenue of the global parent and any subsidiaries involved with the violations. Second, U.S. businesses find GDPR to be complex and unfamiliar. Questions arise concerning jurisdictional scope, defining the kinds of personal data covered, obtaining consents from individuals, maintaining an audit trail of consents, managing cross-border data flows, and handling new forms of individual rights given to EEA residents.