GDPR: European Law Makes Big Demands on US Companies

On May 25, 2018, enforcement of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) will begin. GDPR will impact a significant number of US companies, big and small. With penalties reaching 4% of global turnover (revenue) or €20 million, whichever is greater, noncompliance can be very costly. In general, US companies that process personal data of European individuals are subject to GDPR if they: (1) have a physical presence in the EU, (2) have European employees, (3) direct the sale of products or services to Europeans, (4) provide services to a business subject to GDPR or (5) regularly monitor or track European individuals. There is still time to come into compliance with GDPR before the May 25, 2018 due date. Here are some of the more significant changes from existing US law to consider.

Privacy Policies. GDPR requires privacy policies to include more information than is normally provided by businesses in the US. Among other requirements, GDPR requires information on (1) who to contact with complaints, (2) what an individual’s privacy rights are as well as how those rights can be exercised, (3) the lawful purpose and uses of the data and (4) how to give and revoke consent. If your privacy policy has not been recently reviewed, GDPR compliance is just one of the many reasons to have counsel carefully review the privacy policies for your websites and apps.

Vendor Management. Vendor management is critical to GDPR compliance. Companies subject to GDPR must ensure that their agreements with vendors have required language about data privacy, security and transfers, even in existing contracts. The requirement takes on particular importance for US companies because, in addition to the standard contract requirements under GDPR, provisions covering cross-border transactions will need to be incorporated. Taking steps now to comply with the contract requirements will enable your business to have more control over the language than if you were to wait to get language from vendors and customers. Additionally, it is important to take the time to review and select the right vendors and then share with them only information permitted by GDPR.

Consent. GDPR sets a high standard for when and how to obtain consent from individuals. Consent must be affirmatively and voluntarily made after being clearly informed in a manner understandable to the individual. It is not sufficient to obtain consent through a pre-checked box, as is commonly done in the US. Also required is language about how to revoke consent and the revocation process must be as easy as the consent process. Consent under GDPR has several additional requirements and restrictions to be carefully considered.

Next Steps. Take action immediately to determine if GDPR applies to your business and, if so, the scope of its applicability. Review our more detailed memorandum on GDPR, which can be accessed here.  If GDPR does apply, which is more likely than many businesses may think, below are some next steps to help you bring your business into GDPR compliance prior to the enforcement due date on May 25, 2018. 

  1. Assess the scope of your data, including where it is, who has access and how and when it is used and transferred.
  2. Prepare a compliance strategy that should include an assessment with knowledgeable counsel on how GDPR will apply to your business, whether your business needs a Data Privacy Officer (DPO), what policies need to be changed or created and what software and services will be needed towards your compliance efforts.
  3. Review contracts with vendors and your privacy policy to revise or add GDPR requirements.
  4. Train employees on GDPR and consider using this as an opportunity to provide broader data privacy and cybersecurity training.

The European Commission recently released information on the direct application of the GDPR, which you can access here.  Clark Hill attorneys can assist you through the next steps and guide your business towards GDPR compliance.