As if keeping up to date with federal and state laws wasn’t enough, U.S. companies with a physical presence or established distribution channel in the European Union will now need to comply with the EU’s new General Data Privacy Regulation (GDPR), which went into effect on May 28.
Under the GDPR, some companies are required to have a Data Protection Officer (DPO). Specifically those that deal with European data on a “large scale,” a term with little definition in the regulation.
Having a compliant DPO requires finding someone who already has both legal and Information Technology (IT) expertise or training them for those skills. The DPO must stay abreast of changes to European privacy laws, and he or she is responsible for ongoing compliance.
The GDPR will evolve as litigation and regulatory action from the countries adopting the GDPR shape it in the coming months. The DPO will need to monitor these interpretations as they happen and guide the company accordingly. It is essential that the DPO be involved in any new technological advances deployed by the company. The DPO must fit into the company’s organizational structure in a unique way, reporting to the highest levels within the company and yet maintaining complete independence.
Does This Apply to Small and Medium Companies?
The GDPR’s obligations can be onerous and the risks of noncompliance are significant, which causes smaller companies with limited business in Europe to question how to proceed. Small and medium companies may find the prospect of having a DPO financially unsustainable. Although it is permissible to outsource the DPO responsibility, even outsourcing might prove difficult to manage given the extent to which the DPO must be integrated into a company’s operations.
Even small and medium U.S. companies without repeated transactions in the EU need to be mindful of the GDPR. The practical questions are how, and to what extent, should a small- or medium- sized U.S. business attempt to comply with a European regulation that may or may not apply and where the risk of actual regulatory enforcement might be slight.
The first task is to gauge whether the GDPR applies, and small and medium companies might be surprised by the answer. The hallmark of the GDPR is the protection of personal information about EU residents. It is particularly focused on health information and information about a person’s religious views. The more data a company receives or stores regarding EU residents, the more likely that a company is subject to the GDPR and the greater the risk.
There are several ways in which a small- or medium-size company with occasional transactions in the EU can become subject to the GDPR. One such way is to “face” internet sales channels toward the EU. For example, posting a version of a website translated into French and including a mechanism to accept credit card payments from French banks facilitates the collection of personal information regarding residents of France.
There are less obvious ways companies can find themselves obligated to meet the GDPR. For example, U.S. companies entering into contractual arrangements with partners or vendors in the EU must carefully scrutinize contracts for clauses in which the U.S. company warrants compliance with GDPR. U.S. companies must also watch for clauses requiring them to defend or indemnify their European partner for claims associated with violating the GDPR.
There might also be instances in which two U.S. companies contracting with each other create GDPR obligations. Assume a larger U.S. company has a few employees located in the EU and it wants to hire another U.S. company to provide human resources consulting services in which all employees’ data will be shared. The larger U.S. company’s RFP for these service may require bidders to certify GDPR compliance because a small amount of data will involve EU residents. Worse still, that detail might not emerge until after the contract is signed and the consulting company takes on the engagement. The exposure to EU resident data arguably imposes GDPR compliance obligations on the consulting firm even though its client is another U.S. company.
Steps to Minimize Risk
There are cost-effective steps companies can take to minimize risk where there is the possibility of GDPR application.
First, companies should conduct an audit to determine how much data they possess regarding EU residents and from what source. If it is possible to structure transactions to de-identify data regarding EU residents, those options should be explored. For example, a U.S. company might work with its counterparts in Europe to replace names with transaction ID’s and refrain from taking sensitive information that needs to be protected.
Examine relationships with other U.S. businesses to determine if any data is being received concerning EU residents in those dealings. Companies should also audit any contracts that might involve EU data and establish protocols for reviewing and negotiating contracts moving forward to ensure they do not unwittingly take on GDPR obligations. Similarly, U.S. companies should attempt to negotiate clauses with any European business partners to ensure compliance and indemnify for failing to comply with the GDPR.
Regardless of GDPR applicability, it is wise to provide training to employees about protecting data and privacy. If the company deals with any EU resident data, that training should be augmented to include specific reference to the obligations embedded within GDPR. When appropriate, companies should also consider updating or amending their terms and conditions to include the types of notifications to consumers required by the GDRP. This can be done without specific reference to the GDPR while still providing the substantive text to minimize risk. Companies’ written privacy policies can be updated to include GDPR-like terms. This would include developing mechanisms to obtain consent before using data for marketing purposes. U.S. companies should also consider putting into place procedures to handle requests from EU residents to access, correct and even delete data about them, all of which is required by the GDPR.
In today’s digital economy, companies of all sizes should take a close look at their security measures. U.S. companies can implement relatively inexpensive protocols to shield themselves from GDPR enforcement against them.
Attorney JP Harris is a shareholder at Sheehan Phinney in Manchester. He is a commercial litigator with extensive experience advising clients on record retention and data breach issues. For more information, visit sheehan.com.