EU General Data Protection Regulations (GDPR) and Its Impact on US Businesses
On May 25, 2018, the European Union’s General Data Protection Regulations (GDPR) went into effect. As a general matter, the GDPR affects how personal data of European Union citizens can be collected, used, held and maintained, and provides individuals with certain rights vis-à-vis their data. Failure to comply with the GDPR can result in significant penalties, including very substantial fines. In the event of breach of the GDPR, fines can extend up to the greater of €20 million or four percent of the applicable company’s worldwide revenue for the prior year. There is no grace period after May 25, 2018.
The GDPR applies not only to businesses which have established operations within the European Union, but can also apply to companies outside the European Union, INCLUDING AMERICAN COMPANIES. For example, if your business is not located within the European Union, but nevertheless (a) offers goods or services to an individual located within the European Union (whom we refer to in this article as a European Union data subject), (b) monitors the behavior of a European Union data subject, (c) holds, collects or processes the personal data of a European Union data subject, or (d) targets a European Union data subject with marketing (including internet based marketing, such as even just certain company websites), the GDPR can apply.
The determination whether the GDPR applies to your American company and how to comply with the GDPR can be complex. Centauri Law Group, P.C. can help. Some of the questions this firm can assist your business in understanding GDPR compliance include:
I have a California business; does my business need to comply with the GDPR? If so, what does my business need to do to comply with the GDPR?
As noted above, companies that do not have a physical presence in the European Union might still need to comply with the GDPR under certain circumstances. The GDPR may apply to your business if your business does things, for example, such as sell or offer to sell goods or services to persons within the European Union; target persons within the European Union with advertising or marketing; or, directly or indirectly, collect, process or hold data on persons within the European Union. In certain circumstances, a website of a California business can itself bring the business within the purview of the GDPR. Keep in mind, it does not take much to trigger the GDPR; for example, collecting personal data of even a single person within the European Union can trigger the applicability of the GDPR.
The GDPR is based on specific data protection principles. If the GDPR applies, those principles require that personal data be:
- Processed lawfully, fairly, and in a transparent manner;
- Collected for specified, explicit, and legitimate purposes, and not processed in a manner that is incompatible with those purposes;
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is collected and processed;
- Accurate and, where necessary, kept up-to-date;
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed; and
- Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures.
Additionally, a business’s data controller is responsible for, and must be able to demonstrate compliance with, the GDPR’s data protection principles.
The GDPR is complex and contains myriad specific regulations and requirements implementing its data protection principles. Before a company to which the GDPR applies can even begin to comply with the GDPR’s requirements, the company should make an exhaustive study of the data it keeps, where the information is stored, why it is kept, how it flows and how it is processed and used – all of which should be documented and continuously updated. Such a study can also assist in determining the applicability of the GDPR. This analysis should be done by someone versed in the GDPR and its various requirements and technicalities.
What if my business is not GDPR compliant?
As noted above, very severe sanctions can be levied – fines up to the greater of €20 million or four percent of your company’s worldwide revenue for the prior year – if the GDPR applies to your business and you fail to comply with the GDPR.
Do I need a data protection officer?
If the GDPR applies to your business, and if the core activities of your business require regular and systemic monitoring of data subjects on a large scale or consist of processing sensitive personal data on a large scale, you might need to appoint a data protection officer (DPO) with expert knowledge of data protection law. A DPO, if required for your business, must directly report to the highest management level of your business and cannot be dismissed or penalized for performing her or his tasks.
Do I need to make alterations to my business website?
If the GDPR applies to your business, then it is quite possible that alterations would need to be made to your website in order to make sure you are in GDPR compliance. The first step in determining what, if any, alterations would need to be made to your website would be to analyze what user information and data is collected directly or indirectly (e.g., including from third parties, such as advertisers, plug-ins, trackers, analytical tools, and the like) from users of, and visitors to your website. After such an analysis by someone experienced in GDPR requirements, specific compliance recommendations could be made.
How does the GDPR affect social media marketing for my business?
Many types of organic social media activities might be compliant with the GDPR depending on the particular social media site and social media activities and provided those activities do not collect personal data from people who view or engage with it. Social media advertising, scraping of contact details, and referring traffic from social media to one’s website are some examples, however, of social media activities that potentially could be problematic under the GDPR.
Under the GDPR, what if my business experiences a breach of the data we hold?
The GDPR contains specific regulations regarding data breaches. Among other things, those regulations require that if there is a data breach regarding the personal data of an individual or business, then under the GDPR, the business which holds the data must notify the applicable individuals and businesses within 72 hours of realizing the data breach has occurred.
If the GDPR does not apply to my business or its operations, do I still need to worry about data privacy and security?
Yes, absolutely. Data and privacy laws and regulations are proliferating around the world, including in various states, such as California, and federally (USA). Data breaches also can harm your business reputation and destroy the goodwill associated with your business, which is reason enough to treat data privacy and security seriously and consult with applicable experts.
The foregoing is only a very general summary of certain aspects of the GDPR and its applicability, is provided here for general informational purposes only, is not intended to constitute legal guidance, and should not be relied upon without consulting with an experienced attorney. The GDPR is complex. Answers to questions about GDPR compliance are fact specific and may vary from case-to-case.
Centauri Law Group, P.C. can assist your business not only in determining whether the GDPR applies to your business operations and marketing, but, if so, how to comply with its directives. Let us help you navigate the new GDPR regulations. If you are unsure whether GDPR applies to your business or you believes your business is unprepared for the GDPR, it is time to seek legal help. We can help you with the GDPR requirements. Please contact our Paralegal, Kimberly Campbell, at (949) 936-4419 to schedule a telephone consultation with one of our attorneys.
The information you obtain in the above article, and at this site, is not nor is it intended to be, legal advice. You should consult an attorney for advice regarding your individual situation. Please note that we do not provide tax advice and you should consult a tax professional regarding tax related matters. Should you wish to discuss the above topic or other related matters, you can contact us via e-mail or phone. Contacting us does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established by written agreement.