Who: United States businesses that process (i.e., collect, store, or transmit) the personal information of EU residents in connection with offering goods or services in the EU (online or otherwise) are subject to the GDPR, regardless of whether the business has any physical presence in the EU or any payment is made by the EU resident.
What: The GDPR is a comprehensive data-privacy regulation that gives people control over their data in ways that are very different than what US businesses are accustomed to. Businesses must clearly and accurately disclose how they collect and use personal data and be prepared to provide EU residents copies of their data, delete their data, correct their data, and report any data breaches to EU regulatory authorities within 72 hours. Many marketing communications and other data collection will also require “opt-in” consent from EU residents, which is a drastic departure from current/standard US practices.
When: May 25, 2018
Where: Globally. The GDPR has extraterritorial reach, so it will apply to US businesses that offer goods or services to people in the EU, even if those goods or services are only being provided online and the US company has no physical presence in the EU.
Why: Data privacy is a fundamental right in the EU, but EU regulators feel that many businesses, including many US-based companies, are not adequately respecting that right. The GDPR attempts to address this by providing significantly expanded rights to EU residents, putting significantly more obligations on companies that process EU resident data, regardless of their physical location, and increasing liability exposure. The GDPR provides both a private right of action for EU residents (even without any finding of material harm) and companies are subject to enormous regulatory fines; fines may reach the greater of (a) €20 million or (b) four (4) percent of global annual revenue (even if only one (1) percent was earned in the EU).
How: There are steps that US businesses should be taking now to come into compliance by the May 25, 2018 enforcement deadline. These include:
1. Take Action
GDPR compliance is a daunting task because, for most US businesses, it requires significant changes from the status quo. But taking action now can determine whether your company is the target of (or low-hanging fruit for) an EU regulator or citizen suit.
2. Start Here
Start with a data map: identify what data you possess related to EU residents and where it resides on your systems. For many businesses, much of this data will reside in a massive contacts database or records management system. Ask if you still need it—for data retention law, performing a contract, or otherwise. If you don’t need it, delete it. Unnecessary data equals unnecessary risk.
3. Evaluate Email Marketing Practices
Once you identify EU resident data in your contacts database, delete all contact data that you don’t need, including data that are stale. Contact data do have a shelf life. For those EU residents that you’d like to continue sending marketing materials to, send them an “opt-in” email before May 25. This email will disclose, among other things, what communications you would like to send those contacts, how you will use their data, and ask them to agree to those practices by checking a box. (No pre-filled boxes.) Be prepared to demonstrate that you’ve obtained opt-in consent from everyone to whom you send unsolicited marketing materials.
4. Amend Contracts
On May 25, to lawfully transmit data from the EU to the US (e.g., to view data provided by EU residents on your computer located in the US), you’ll be required to comply with data transfer laws—and most existing contracts are not set up for this. US companies are in the process of negotiating and executing tens of thousands of data-processing amendments that will allow for the legal transmission of data to the US.
5. Determine Lawful Bases for Processing
Under the GDPR, EU resident data can only be processed (i.e., collected, stored, or transmitted) if there is a lawful basis for doing so. Companies must undertake the task of identifying the lawful basis for processing, such as the performance of a contract or consent from the EU resident. This should be in writing because EU regulators will want to see a record of processing activities.
6. Monitor Enforcement
The GDPR represents the most drastic change to data-privacy law in 20 years. As a result, EU regulators will be busy and it’s likely they will focus initial enforcement efforts on the worst offenders. But every company subject to the GDPR—by the letter of the law—faces both massive fines and private citizen suits. US companies should monitor enforcement, public and private, to identify trends and make adjustments to compliance efforts based on risk exposure.
7. Remember: We’re Here to Help!
The steps set forth above are by no means comprehensive and will not result in full compliance with GDPR, but they are designed to get you started. We are helping clients come into compliance with the GDPR and many have the same questions and concerns you do. Contact us so we can help you take action between now and May 25 to help reduce your risk and move your business towards GDPR compliance.
David Rice provides strategic advice to clients on data privacy and security, data breaches, cloud services and infrastructure, and related intellectual property issues.
Direct: 206.777.7424 | Email: firstname.lastname@example.org