Is My Organization Subject to the GDPR?By: On May 25, 2018, the European Union’s (“EU’s”) General Data Protection Regulation (“GDPR”) went into effect, imposing new prohibitions, standards, and risk management guidelines on how companies can collect, process, transfer, and share personal data. For U.S. associations, the most notable aspect of the GDPR was the expanded, (extra)territorial scope – companies outside the EU can now be subject to GDPR fines as high as €20 million or four percent of annual gross income, whichever is higher. The GDPR’s scope is broadly defined, and while some authoritative interpretations may serve as fenceposts, EU supervisory authorities that administer and enforce data protection regulations have not yet provided clear guidance on how U.S. companies may fall under EU jurisdiction. Nonetheless, given the significant penalties, the numerous EU regulating bodies tasked solely with data protection under the new law, and the ability for individuals to lodge complaints with regulators or bring private actions against violators, it is important for U.S. organizations to understand if and how the GDPR may apply to their activities. Territorial ScopeThere are two tests to determine if the scope of the GDPR directly applies to your organization’s data processing activities:
If your organization meets either of the two tests above, then the GDPR would apply to those processing activities that are in the context of the establishment’s activities (Establishment Test) or that involve the personal data of data subjects located in the EU (Targeting Test). Contractual ScopeEven if your organization does not directly fall within the territorial scope, it may nonetheless find itself receiving contractual agreements from partners requiring GDPR compliance. This may occur in a number of circumstances, including, for example:
In some cases, your organization may be able to negotiate or work with partners to limit unnecessary contractual obligations for GDPR compliance. In other cases, your organization may be able to find different vendors or processors that also fall outside of the GDPR. This is not always possible, and if one of your partners, vendors, or processors believes it falls under the GDPR, it may be important to evaluate the applicability of the GDPR to your own organization’s activities. I think My Company Falls Under the GDPR: What’s Next?The GDPR imposes a number of new rules related to data security, disclosures to data subjects, handling requests by data subjects, risk management, disclosing breaches, and contractual arrangements with processors. Depending on the scale of your data processing activities and the amount of EU data you handle, it may be possible to employ a narrowly-tailored compliance approach. At the moment, EU data protection agencies have received numerous complaints and tips about GDPR noncompliance, and private actors have filed private actions against companies they believe are noncompliant. It will take some time before we understand how the EU intends to enforce the GDPR against U.S. companies. On January 21, 2018, in the first major GDPR-related enforcement action against a U.S. company, France's data protection agency fined Google, Inc. approximately $57 million for GDPR violations. While the first major enforcement actions work their way through EU courts, we recommend that you contact counsel to review the applicability of the GDPR to your activities and, if you have GDPR exposure, to help your organization come into compliance. If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com. |
Related Practice Areas |
© 2024 GKG Law, P.C. All Rights Reserved.