top of page
  • Lindsay Spiller

GDPR (The EU's General Data Protection Regulation) — What US small businesses should know about it

Updated: Dec 18, 2022

1. What is GDPR?

It is the EU’s General Data Protection Regulation (GDPR), which became effective in May 2018, and is concerned with protecting the sanctity and privacy of personal data of EU subjects. Given GDPR's scope, and the severity of its penalties for non-compliance, it is advisable that US small businesses with a global reach should know about it and determine whether it affects them.

In particular, the GDPR imposes obligations on controllers and processors of personal data, which is defined as “any information relating to an identified or identifiable natural person.” A controller is defined as anyone who “determines the purposes and the means of the processing of personal data.” A processor, on the other hand, “processes personal data on behalf of the controller,” like payment services such as PayPal and Braintree.

2. Does GDPR apply to US-based companies?

Even though you may be a US company, the regulation applies to any controller or processor who “envisages offering services to data subjects in one or more of the Member States of the [European] Union." This speaks to some sort of intentionality test. In other words, an EU subject merely accessing your site somewhere in the EU would not be enough to trigger application of the regulation. However, if your business site is accessible by EU subjects and you intend to market your business services in the EU, you will be subject to GDPR.

3. Should you worry about being in compliance?

Truth is, the risk of small to medium-sized businesses being subjected to an audit by the EU is slim, but since the penalty for non-compliance is great (20,000,000 EUR or up to 4% of total worldwide income, whichever is higher), it is advisable that any business subject to the GDPR undertake good faith efforts to comply.

4. What options does a US company have to achieve compliance?

There are two options:

Option 1: Take immediate action to incorporate the changes in company processes and policies required by the GDPR. The steps include: (1) assess your current handling of personal data; (2) revise your privacy policy to include clauses required by the regulation; (3) employ a more transparent and detailed click-wrapped online consent form; (4) establish a breach notification system; and (5) appoint a designated corporate officer in charge of data security. Accomplishing these things will take time, but it is essential to avoid non-compliance.

Option 2: Participate in the US Department of Commerce’s Privacy Shield self-certification framework. Although there is some concern about the future viability of this program, US companies who participate in Privacy Shield program are considered to be de facto in compliance with EU data regulations. Google, Apple, and other companies subscribe to this program and it may be advisable for you to consider participating as well. To be accepted, you must submit your business site’s privacy policy for review by the Department. The policy would have to incorporate essential principles advocated by the Privacy Shield Framework. Acceptance however, would be evidence of good-faith compliance with EU’s GDPR.

Note: Since there is concern that Trump may weaken or do away with the Privacy Shield program, as a small business lawyer, I have advised my small business clients to take a hybrid approach (i.e., proceed with both Option 1 and Option 2) to achieve GDPR compliance.

5. What steps should you take now?