1. What is GDPR?
It is the EU’s General Data Protection Regulation (GDPR), which became effective in May 2018 and is concerned with protecting the sanctity and privacy of personal data of EU subjects. Given GDPR's scope, and the severity of its penalties for non-compliance, it is advisable that US small businesses with a global reach should know about it and determine whether it affects them.
In particular, the GDPR imposes obligations on controllers and processors of personal data, which is defined as “any information relating to an identified or identifiable natural person.” A controller is defined as anyone who “determines the purposes and the means of the processing of personal data.” A processor, on the other hand, “processes personal data on behalf of the controller,” like payment services such as PayPal and Braintree.
2. Does GDPR apply to US-based companies?
Even though you may be a US company, the regulation applies to any controller or processor who “envisages offering services to data subjects in one or more of the Member States of the [European] Union." This speaks to some sort of intentionality test. In other words, an EU subject merely accessing your site somewhere in the EU would not be enough to trigger the application of the regulation. However, if your business site is accessible by EU subjects and you intend to market your business services in the EU, you will be subject to GDPR.
3. Should you worry about being in compliance?
Truth is, the risk of small to medium-sized businesses being subjected to an audit by the EU is slim, but since the penalty for non-compliance is great (20,000,000 EUR or up to 4% of total worldwide income, whichever is higher), it is advisable that any business subject to the GDPR undertake good faith efforts to comply.
4. What options does a US company have to achieve compliance?
There are two options:
Option 1: Take immediate action to incorporate the changes in company processes and policies required by the GDPR.
Option 2: Participate in the US Department of Commerce’s Privacy Shield self-certification framework.
Note: Since there is concern that Trump may weaken or do away with the Privacy Shield program, as a small business lawyer, I have advised my small business clients to take a hybrid approach (i.e., proceed with both Option 1 and Option 2) to achieve GDPR compliance.
5. What steps should you take now?
First Step — You should begin by taking an assessment of your business site’s acquisition and use of personal data, and ask: (1) What personal data is requested by the site? (2) Does the business have a lawful reason to obtain personal data? (3) To whom is the data transferred (to processors, to other companies)? (4) Do you have written agreements with processors and affiliate companies, and are they also GDPR compliant (i.e., do they require that the processors and affiliates also commit to abide by GDPR requirements)? (5) Do subscribers have the ability to change their minds and request that their data be deleted? (6) Do subscribers have a real choice as to whether or not they can refuse to hand over their personal information? (7) Do subscribers have a simple and clear way to actively and freely consent to their data being used? (8) Does the site obtain parental consent for the use of children’s data (those under the age of 16) as required by GDPR?
Third Step — You should undertake the necessary changes to the website, business structure, and processor and affiliate agreements. Determine what changes need to be made to the site regarding obtaining proper subscriber consent. Determine what changes need to be made to the site to make consent for different types of data use explicit. Determine what changes to the business structure need to be made to deal with possible data security breaches (i.e., you may need to designate a data protection officer to be in charge of data security). Determine whether agreements with processors and affiliate companies have the necessary clauses to be GDPR-compliant.
The GDPR is a reaction to the erosion of privacy rights in the digital age. It appears to be the new standard for best practices relating to the protection of privacy online. Although it is applicable to the EU now, GDRP-like provisions may soon become standardized and spread to other jurisdictions, so it is advisable that small businesses take note of them, understand them, and make good faith efforts to comply.
Spiller Law is an advisor to startup businesses, entertainment and media companies, and artists. Feel free to schedule a free consultation.
Spiller Law is a San Francisco business, entertainment, and estate planning law firm. We serve clients in the San Francisco Bay Area, Silicon Valley, Los Angeles, and California. Feel free to arrange a free consultation using the Schedule Appointment link on our website. For other questions, feel free to call our offices at 415-991-7298.
The information provided in this article is for general informational purposes only and should not be construed as legal advice or opinion. Readers are advised to consult with their legal counsel for specific advice.