Our Company is a US Company — Do We Care About GDPR?

The long-anticipated effective date of The Global Data Protection Regulation (“GDPR”) is upon us.  On May 25, 2018, GDPR, a mandate for safeguarding the personal data of European citizens officially became effective.   This article explores some of the implications GDPR has on U.S. based companies.

i. Jurisdiction:

For companies based in the United States of America (“US”), where most of their business comes from customers in the US, it may be easy to assume that this “European” mandate does not apply.  After all, what jurisdiction does an EU regulation have over a US Company?  Jurisdiction is proper and regulation compliance issues face US companies like these because GDPR requires all companies who collect, store, or process the personal data of EU citizens to comply.  And, the regulation defines “personal data” broadly to include direct contact information such as name, phone number, address, and e-mail address, in addition to other information that could be used to identify an individual, such as a username or IP address.  Any US company that has an office in any EU country is subject to GDPR.  But, there are many other, more subtle ways that US companies may be subject to the regulation.  For example, the following companies would also have obligations to comply with GDPR:  any US company that has a website that is accessible to EU citizens, that is accessible via any EU Country’s URL suffix, any US company whose website is provided in any of the official languages of the EU countries, and any US company whose website accepts payment in Euros.

ii. Why Should a US-based Company Care?

First, there is a private right of action, such that private individuals who believe their private information has been compromised may sue for damages.  Second, fines for non-compliance with GDPR are significant, where penalties may be as high as 4% of the company’s annual revenue or $20 million, whichever is greater.

iii. What Steps Should a US-based Company Take?

US Companies that find themselves subject to GDPR may feel trepidation as to where to start in terms of establishing compliance.  While this is not an exhaustive list, companies should first and foremost, have a privacy notice in place that is clear and transparent and addresses the following:  what personal data is collected by the company, how it is stored and for how long, why it is collected, and with whom such data is shared.  Companies should name all organizations that will have access to and/or process user personal data.  The website should provide the user a means to consent to personal data collection and processing.  Consent must be “opt-in” and not merely a pre-ticked box or other “opt-out” solution.  Further, email marketing issues should be addressed.  Pursuant to GDPR, companies should obtain new and affirmative consent from users who previously received email marketing messages, in order for the company to continue sending those emails to these users.

Finally, while the new regulation is not explicit in terms of how these issues should be addressed, companies must accommodate these rights of EU citizens:

  • The Right to be Forgotten ( have their data deleted)
  • The Right to Access and Right of Accountability (Users should be able to view the data that companies have on them and correct any inaccuracies)
  • The Right for Breach Notification (Users are required to be notified within 72 hours if user data has been breached in a way that can cause “risk to the right and freedoms” of EU based data subjects)
  • The Right to Data Portability: companies must supply users with the ability to virtually send the data that the company collects on them to a different business, trusted third party, or the user themselves when “technically feasible”

Companies should also update internal policies and organizational measures by having protocols in place for data management and responding to a potential security breach.   And, vendor contracts should be updated.  For example, if a vendor handles email marketing for Company A, Company A is the “Controller” of the data and is responsible for ensuring that their vendor has sufficient compliance practices in place.  If the vendor fails to establish sufficient compliance, Company A may be found to be in violation of the regulation.

iv. Is It Too Late?

No.  It is never “too late” to begin taking measures to comply.  Technically, GDPR has no “grace period” and fines can be instituted at any time.  However, in practice, regulatory bodies often look to what efforts are being made to comply as a means of mitigating fines and penalties.  Thus, efforts for compliance continue, even for companies that initially never dreamed that an EU regulation such as GDPR could affect them.

If you have questions on GDPR or would like to take steps to become compliant, please contact Levin Ginsburg at 312.368.0100.