I recently had a conversation with one of our attorneys, Michael Hellbusch of Rutan & Tucker, LLP, about the implementation of the General Data Protection Regulation (GDPR). If you haven’t heard already, the GDPR is a regulation on data protection and privacy for those in the European Union as well as the European Economic Area. Specifically, the regulation contains new provisions and requirements for businesses on the collection and processing of individuals’ personally identifiable information (PII). It entered into effect on May 25, and since it is a regulation, it is directly binding and applicable.
My business is physically located in the United States, and we have limited to no presence in the EU electronically. One of the biggest questions I had for Michael was whether the GDPR would affect my business, and if so how? Michael’s answer surprised me: the GDPR absolutely can affect businesses outside of the European Union, and businesses around the world may need to re-examine their privacy policies.
Who Does GDPR Apply To?
Let’s start with the big one: the GDPR has a much broader territorial scope than just the EU. As Michael told me, the GDPR applies to:
- Organizations established in the EU that process personal data in the context of the activities of that establishment, regardless of where the processing takes place;
- Organizations not established in the EU that offer goods and services to EU data subjects or monitor their behavior;
- Data controllers not established in the EU but in a place where member state law applies through public international law (though this is generally not applicable).
How to Tell if Your Business is Affected
So, the GDPR could easily apply to a business not established in the EU. But can you tell if the regulations apply to your business? Ask yourself the following questions.
1. Is my business established in the EU?
When we say that a business is “established” in the EU, here’s what we mean. Any organization could be considered “established” if it is physically established in the EU through an office, subsidiary, branch, outpost, or employees located in the EU; it could also be considered established if there is real and effective exercise of activity through stable arrangements in the EU.
In summary, if you have property, business, employees, or data in the EU, your organization would be considered “established.”
2. Even if my business is not “established” in the EU, do we offer any goods or services to EU data subjects?
But let’s say that you don’t have any offices, personnel, or materials in the EU. Does your organization target EU data subjects as customers? Do you market to EU customers or refer to them in marketing? Do you offer goods or services in EU currency? Do you allow customers to place orders in a local language? If that’s the case, your organization would be subject to GDPR regulations.
3. Even if my business is not “established” in the EU, do we “monitor” EU data subjects?
If your organization collects personal data of EU data subjects, you will fall under GDPR regulation. Whether you’re using web analytics, RFID tags, tracking, cookies, or geo-location tracking, this would place you under the GDPR.
GDPR in the United States
As Michael’s information tells us, the GDPR can easily apply to organizations in the United States. For the majority of US companies, it would apply indirectly by way of contractual relationships with companies that are required to be GDPR-compliant.
Some businesses might choose not to do business with any GDPR-regulated businesses if they find that GDPR compliance is too big of an issue to take on. However, this is not the recommended course of action, asthe GDPR’s requirements for the most part consist of best practices for data security, and after this year’s events consumers are looking for businesses that prioritize privacy and information protection.
If you’re still confused, we recommend that you take a look at the EU/US Privacy Shield. This is an agreement between the US and the EU that helps businesses to become GDPR-compliant through a self-certification process. An organization that self-certifies with the FTC under the Privacy Shield are considered to have met the EU’s requirements to process EU subjects’ data; however, keep in mind that organizations who self-certify are in turn agreeing to enforcement of EU data subject rights by the FTC under the GDPR.
At the end of the day, you need to ask yourself: do you do any business with people or entities who require GDPR compliance? It’s much more likely than you think. We strongly recommend taking the time to do a deep dive on your privacy policies. Even if you don’t think that you need to be GDPR-compliant, it’s never a bad idea to assess your business’s cybersecurity practices and take the time to keep yourself and your clients safe.
I’d like to thank Michael for taking the time to provide this information to us, and I hope that you came away from this blog with a greater understanding of what it means to be GDPR-compliant and why it’s an important practice for businesses around the world.
About Michael Hellbusch
Michael Hellbusch is an intellectual property attorney at Rutan & Tucker, LLP who excels in several areas of law including cyber law, data security, and privacy issues. He has a broad range of experience both as a transactional lawyer and as a litigator. He focuses his practice on brand and reputation protection for clients in the online atmosphere.
About Neilson Marketing Services
Since 1988, Neilson Marketing has been implementing innovative marketing solutions and strategies for our clients in all areas of marketing. Contact us today at (800) 736-9741 to put our talent, expertise, and vast resources to work for you. Let’s make things happen, together!