GDPR (The EU's General Data Protection Regulation) — What US small businesses should know about it

Updated: May 13, 2021

1. What is GDPR?

It is the EU’s General Data Protection Regulation (GDPR), which became effective in May 2018, and is concerned with protecting the sanctity and privacy of personal data of EU subjects. Given GDPR's scope, and the severity of its penalties for non-compliance, it is advisable that US small businesses with a global reach should know about it and determine whether it affects them.

In particular, the GDPR imposes obligations on controllers and processors of personal data, which is defined as “any information relating to an identified or identifiable natural person.” A controller is defined as anyone who “determines the purposes and the means of the processing of personal data.” A processor, on the other hand, “processes personal data on behalf of the controller,” like payment services such as PayPal and Braintree.

2. Does GDPR apply to US-based companies?

Even though you may be a US company, the regulation applies to any controller or processor who “envisages offering services to data subjects in one or more of the Member States of the [European] Union." This speaks to some sort of intentionality test. In other words, an EU subject merely accessing your site somewhere in the EU would not be enough to trigger application of the regulation. However, if your business site is accessible by EU subjects and you intend to market your business services in the EU, you will be subject to GDPR.

3. Should you worry about being in compliance?

Truth is, the risk of small to medium-sized businesses being subjected to an audit by the EU is slim, but since the penalty for non-compliance is great (20,000,000 EUR or up to 4% of total worldwide income, whichever is higher), it is advisable that any business subject to the GDPR undertake good faith efforts to comply.

4. What options does a US company have to achieve compliance?

There are two options:

Option 1: Take immediate action to incorporate the changes in company processes and policies required by the GDPR. The steps include: (1) assess your current handling of personal data; (2) revise your privacy policy to include clauses required by the regulation; (3) employ a more transparent and detailed click-wrapped online consent form; (4) establish a breach notification system; and (5) appoint a designated corporate officer in charge of data security. Accomplishing these things will take time, but it is essential to avoid non-compliance.

Option 2: Participate in the US Department of Commerce’s Privacy Shield self-certification framework. Although there is some concern about the future viability of this program, US companies who participate in Privacy Shield program are considered to be de facto in compliance with EU data regulations. Google, Apple, and other companies subscribe to this program and it may be advisable for you to consider participating as well. To be accepted, you must submit your business site’s privacy policy for review by the Department. The policy would have to incorporate essential principles advocated by the Privacy Shield Framework. Acceptance however, would be evidence of good-faith compliance with EU’s GDPR.

Note: Since there is concern that Trump may weaken or do away with the Privacy Shield program, as a small business lawyer, I have advised my small business clients to take a hybrid approach (i.e., proceed with both Option 1 and Option 2) to achieve GDPR compliance.

5. What steps should you take now?

  • First Step — You should begin by taking an assessment of your business site’s acquisition and use of personal data, and ask: (1) What personal data is requested by the site? (2) Does the business have a lawful reason to obtain personal data? (3) To whom is the data transferred (to processors, to other companies)? (4) Do you have written agreements with processors and affiliate companies, and are they also GDPR compliant (i.e., do they require that the processors and affiliates also commit to abide by GDPR requirements)? (5) Do subscribers have the ability to change their mind and request that their data be deleted? (6) Do subscribers have a real choice as to whether or not they can refuse to hand over their personal information? (7) Do subscribers have a simple and clear way to actively and freely consent to their data being used? (8) Does the site obtain parental consent for use of children’s data (those under the age of 16) as required by GDPR?

  • Second Step — You should update your Terms of Service and Privacy Agreements to incorporate the necessary clauses required by GDPR. If you are planning to take advantage of the Privacy Shield program, you should submit your privacy policy to the US Department of Commerce for approval.

  • Third Step — You should undertake the necessary changes to the website, business structure, and processor and affiliate agreements. Determine what changes need to be made to the site regarding obtaining proper subscriber consent. Determine what changes need to be made to the site to make consent for different types of data use explicit. Determine what changes to the business structure need to be made to deal with possible data security breaches (i.e., you may need to designate a data protection officer to be in charge of data security). Determine whether agreements with processors and affiliate companies have the necessary clauses to be GDPR-compliant.

The GDPR is a reaction to the erosion of privacy rights in the digital age. It appears to be the new standard for best practices relating to protection of privacy online. Although it is applicable to the EU now, GDRP-like provisions may soon become standardized and spread to other jurisdictions, so it is advisable that small businesses take note of them, understand them, and make good faith efforts to comply.


Scheduled a Free Consultation with Spiller Law


Lindsay Spiller is the founder of Spiller Law, a San Francisco business, entertainment, and estate planning law practice.


Disclaimer. Spiller Law Blog Posts are made available for educational purposes only as well as to give you general information and a general understanding of the law, not to provide legal advice. By reading the posts, you acknowledge that there is no attorney-client relationship created between you and Lindsay Spiller or Spiller law, and these posts should not be taken a legal advice. You should not act upon this information without seeking advice from a lawyer licensed in your own state or jurisdiction. The blog posts should not be used as a substitute for competent legal advice from a licensed professional attorney in your state or jurisdiction. Your use of the blog posts is at your own risk. The materials presented herein may not reflect the most current legal developments, verdicts or settlements. These materials may be changed, improved, or updated without notice. Lindsay Spiller and Spiller Law is not responsible for any errors or omissions in the content of this site or for damages arising from the use or performance of this site under any circumstances.

146 views0 comments