Updated: May 13, 2021
1. What is GDPR?
It is the EU’s General Data Protection Regulation (GDPR), which became effective in May 2018, and is concerned with protecting the sanctity and privacy of personal data of EU subjects. Given GDPR's scope, and the severity of its penalties for non-compliance, it is advisable that US small businesses with a global reach should know about it and determine whether it affects them.
In particular, the GDPR imposes obligations on controllers and processors of personal data, which is defined as “any information relating to an identified or identifiable natural person.” A controller is defined as anyone who “determines the purposes and the means of the processing of personal data.” A processor, on the other hand, “processes personal data on behalf of the controller,” like payment services such as PayPal and Braintree.
2. Does GDPR apply to US-based companies?
Even though you may be a US company, the regulation applies to any controller or processor who “envisages offering services to data subjects in one or more of the Member States of the [European] Union." This speaks to some sort of intentionality test. In other words, an EU subject merely accessing your site somewhere in the EU would not be enough to trigger application of the regulation. However, if your business site is accessible by EU subjects and you intend to market your business services in the EU, you will be subject to GDPR.
3. Should you worry about being in compliance?
Truth is, the risk of small to medium-sized businesses being subjected to an audit by the EU is slim, but since the penalty for non-compliance is great (20,000,000 EUR or up to 4% of total worldwide income, whichever is higher), it is advisable that any business subject to the GDPR undertake good faith efforts to comply.
4. What options does a US company have to achieve compliance?
There are two options:
Note: Since there is concern that Trump may weaken or do away with the Privacy Shield program, as a small business lawyer, I have advised my small business clients to take a hybrid approach (i.e., proceed with both Option 1 and Option 2) to achieve GDPR compliance.
5. What steps should you take now?
First Step — You should begin by taking an assessment of your business site’s acquisition and use of personal data, and ask: (1) What personal data is requested by the site? (2) Does the business have a lawful reason to obtain personal data? (3) To whom is the data transferred (to processors, to other companies)? (4) Do you have written agreements with processors and affiliate companies, and are they also GDPR compliant (i.e., do they require that the processors and affiliates also commit to abide by GDPR requirements)? (5) Do subscribers have the ability to change their mind and request that their data be deleted? (6) Do subscribers have a real choice as to whether or not they can refuse to hand over their personal information? (7) Do subscribers have a simple and clear way to actively and freely consent to their data being used? (8) Does the site obtain parental consent for use of children’s data (those under the age of 16) as required by GDPR?
Third Step — You should undertake the necessary changes to the website, business structure, and processor and affiliate agreements. Determine what changes need to be made to the site regarding obtaining proper subscriber consent. Determine what changes need to be made to the site to make consent for different types of data use explicit. Determine what changes to the business structure need to be made to deal with possible data security breaches (i.e., you may need to designate a data protection officer to be in charge of data security). Determine whether agreements with processors and affiliate companies have the necessary clauses to be GDPR-compliant.
The GDPR is a reaction to the erosion of privacy rights in the digital age. It appears to be the new standard for best practices relating to protection of privacy online. Although it is applicable to the EU now, GDRP-like provisions may soon become standardized and spread to other jurisdictions, so it is advisable that small businesses take note of them, understand them, and make good faith efforts to comply.
Disclaimer. Spiller Law Blog Posts are made available for educational purposes only as well as to give you general information and a general understanding of the law, not to provide legal advice. By reading the posts, you acknowledge that there is no attorney-client relationship created between you and Lindsay Spiller or Spiller law, and these posts should not be taken a legal advice. You should not act upon this information without seeking advice from a lawyer licensed in your own state or jurisdiction. The blog posts should not be used as a substitute for competent legal advice from a licensed professional attorney in your state or jurisdiction. Your use of the blog posts is at your own risk. The materials presented herein may not reflect the most current legal developments, verdicts or settlements. These materials may be changed, improved, or updated without notice. Lindsay Spiller and Spiller Law is not responsible for any errors or omissions in the content of this site or for damages arising from the use or performance of this site under any circumstances.