1. What is GDPR?
It is the EU’s General Data Protection Regulation (GDPR), which became effective in May 2018 and is concerned with protecting the sanctity and privacy of personal data of EU subjects. Given GDPR's scope, and the severity of its penalties for non-compliance, it is advisable that US small businesses with a global reach should know about it and determine whether it affects them.
In particular, the GDPR imposes obligations on controllers and processors of personal data, which is defined as “any information relating to an identified or identifiable natural person.” A controller is defined as anyone who “determines the purposes and the means of the processing of personal data.” A processor, on the other hand, “processes personal data on behalf of the controller,” like payment services such as PayPal and Braintree.
2. Does GDPR apply to US-based companies?
Even though you may be a US company, the regulation applies to any controller or processor who “envisages offering services to data subjects in one or more of the Member States of the [European] Union." This speaks to some sort of intentionality test. In other words, an EU subject merely accessing your site somewhere in the EU would not be enough to trigger the application of the regulation. However, if your business site is accessible by EU subjects and you intend to market your business services in the EU, you will be subject to GDPR.
3. Should you worry about being in compliance?
Truth is, the risk of small to medium-sized businesses being subjected to an audit by the EU is slim, but since the penalty for non-compliance is great (20,000,000 EUR or up to 4% of total worldwide income, whichever is higher), it is advisable that any business subject to the GDPR undertake good faith efforts to comply.
4. What options does a US company have to achieve compliance?
There are two options:
Option 1: Take immediate action to incorporate the changes in company processes and policies required by the GDPR.
The steps include: (1) assess your current handling of personal data; (2) revise your privacy policy to include clauses required by the regulation; (3) employ a more transparent and detailed click-wrapped online consent form; (4) establish a breach notification system; and (5) appoint a designated corporate officer in charge of data security. Accomplishing these things will take time, but it is essential to avoid non-compliance.
Option 2: Participate in the US Department of Commerce’s Privacy Shield self-certification framework.
Although there is some concern about the future viability of this program, US companies who participate in the Privacy Shield program are considered to be de facto in compliance with EU data regulations. Google, Apple, and other companies subscribe to this program and it may be advisable for you to consider participating as well. To be accepted, you must submit your business site’s privacy policy for review by the Department. The policy would have to incorporate essential principles advocated by the Privacy Shield Framework. Acceptance, however, would be evidence of good-faith compliance with the EU’s GDPR.
Note: Since there is concern that Trump may weaken or do away with the Privacy Shield program, as a small business lawyer, I have advised my small business clients to take a hybrid approach (i.e., proceed with both Option 1 and Option 2) to achieve GDPR compliance.
5. What steps should you take now?
First Step — You should begin by taking an assessment of your business site’s acquisition and use of personal data, and ask: (1) What personal data is requested by the site? (2) Does the business have a lawful reason to obtain personal data? (3) To whom is the data transferred (to processors, to other companies)? (4) Do you have written agreements with processors and affiliate companies, and are they also GDPR compliant (i.e., do they require that the processors and affiliates also commit to abide by GDPR requirements)? (5) Do subscribers have the ability to change their minds and request that their data be deleted? (6) Do subscribers have a real choice as to whether or not they can refuse to hand over their personal information? (7) Do subscribers have a simple and clear way to actively and freely consent to their data being used? (8) Does the site obtain parental consent for the use of children’s data (those under the age of 16) as required by GDPR?
Second Step — You should update your Terms of Service and Privacy Agreements to incorporate the necessary clauses required by GDPR. If you are planning to take advantage of the Privacy Shield program, you should submit your privacy policy to the US Department of Commerce for approval.
Third Step — You should undertake the necessary changes to the website, business structure, and processor and affiliate agreements. Determine what changes need to be made to the site regarding obtaining proper subscriber consent. Determine what changes need to be made to the site to make consent for different types of data use explicit. Determine what changes to the business structure need to be made to deal with possible data security breaches (i.e., you may need to designate a data protection officer to be in charge of data security). Determine whether agreements with processors and affiliate companies have the necessary clauses to be GDPR-compliant.
The GDPR is a reaction to the erosion of privacy rights in the digital age. It appears to be the new standard for best practices relating to the protection of privacy online. Although it is applicable to the EU now, GDRP-like provisions may soon become standardized and spread to other jurisdictions, so it is advisable that small businesses take note of them, understand them, and make good faith efforts to comply.
Spiller Law is an advisor to startup businesses, entertainment and media companies, and artists. Feel free to schedule a free consultation.
Spiller Law is a San Francisco business, entertainment, and estate planning law firm. We serve clients in the San Francisco Bay Area, Silicon Valley, Los Angeles, and California. Feel free to arrange a free consultation using the Schedule Appointment link on our website. For other questions, feel free to call our offices at 415-991-7298.
The information provided in this article is for general informational purposes only and should not be construed as legal advice or opinion. Readers are advised to consult with their legal counsel for specific advice.