Is My Organization Subject to the GDPR?

By: Oliver M. Krischik

On May 25, 2018, the European Union’s (“EU’s”) General Data Protection Regulation (“GDPR”) went into effect, imposing new prohibitions, standards, and risk management guidelines on how companies can collect, process, transfer, and share personal data.  For U.S. associations, the most notable aspect of the GDPR was the expanded, (extra)territorial scope – companies outside the EU can now be subject to GDPR fines as high as €20 million or four percent of annual gross income, whichever is higher. 

The GDPR’s scope is broadly defined, and while some authoritative interpretations may serve as fenceposts, EU supervisory authorities that administer and enforce data protection regulations have not yet provided clear guidance on how U.S. companies may fall under EU jurisdiction.  Nonetheless, given the significant penalties, the numerous EU regulating bodies tasked solely with data protection under the new law, and the ability for individuals to lodge complaints with regulators or bring private actions against violators, it is important for U.S. organizations to understand if and how the GDPR may apply to their activities.

Territorial Scope

There are two tests to determine if the scope of the GDPR directly applies to your organization’s data processing activities:

• The Establishment Test
• The Targeting Test

If your organization meets either of the two tests above, then the GDPR would apply to those processing activities that are in the context of the establishment’s activities (Establishment Test) or that involve the personal data of data subjects located in the EU (Targeting Test).

Contractual Scope

Even if your organization does not directly fall within the territorial scope, it may nonetheless find itself receiving contractual agreements from partners requiring GDPR compliance.  This may occur in a number of circumstances, including, for example:

• (1) If your organization is a data processor that performs operations on sets of data on behalf of other companies or individuals, the data controller (i.e., the organization that determines the purposes and means of processing) itself may fall under the GDPR.  The data controller would be required to ensure that its data processors conduct themselves in full compliance with the GDPR.
• (2) If one of your organization’s partners falls under the GDPR, and both your organization and its partner jointly determine the purpose and means of processing, then the partner would be deemed a “joint controller” alongside your organization under the GDPR.  Accordingly, the GDPR would require the partner to clearly allocate data protection responsibilities with your organization by means of an arrangement.  The most common vehicle for this arrangement would be a contractual agreement.
• (3) If one of your organization’s partners is contractually required to comply with the GDPR, one of the provisions may require the partner to ensure that other organizations (like yours) that have access to a shared pool of a data also abide by the GDPR.
• (4) If one of your organization’s processors anticipates that some of its customers may fall within the scope of the GDPR, the processor may require all of its customers to agree to a Data Protection Addendum or other contractual agreement requiring GDPR compliance.

In some cases, your organization may be able to negotiate or work with partners to limit unnecessary contractual obligations for GDPR compliance.  In other cases, your organization may be able to find different vendors or processors that also fall outside of the GDPR.  This is not always possible, and if one of your partners, vendors, or processors believes it falls under the GDPR, it may be important to evaluate the applicability of the GDPR to your own organization’s activities.

I think My Company Falls Under the GDPR: What’s Next?

The GDPR imposes a number of new rules related to data security, disclosures to data subjects, handling requests by data subjects, risk management, disclosing breaches, and contractual arrangements with processors.  Depending on the scale of your data processing activities and the amount of EU data you handle, it may be possible to employ a narrowly-tailored compliance approach. 

At the moment, EU data protection agencies have received numerous complaints and tips about GDPR noncompliance, and private actors have filed private actions against companies they believe are noncompliant.  It will take some time before we understand how the EU intends to enforce the GDPR against U.S. companies.  On January 21, 2018, in the first major GDPR-related enforcement action against a U.S. company, France's data protection agency fined Google, Inc. approximately $57 million for GDPR violations.  While the first major enforcement actions work their way through EU courts, we recommend that you contact counsel to review the applicability of the GDPR to your activities and, if you have GDPR exposure, to help your organization come into compliance.

If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com.