2nd May 2018
Ed Henderson, Lee Bolton Monier-Williams
With just a few weeks to go until the General Data Protection Regulation, commonly known as “GDPR” becomes law on May 25th 2018, what do your US clients need to be doing? Ed Henderson of MSI UK London based law member Lee Bolton Monier-Williams provides further insight.
Surely it doesn’t apply to me?
The purpose of the legislation is to create a single, unified set of rules across the EU for all companies offering services in the EU. We are receiving an increasing number of instructions (including several MSI referrals) from US companies who realise that GDPR does apply to them. It is not too late to seek advice.
If your US client holds, receives or comes into contact with the personal data of EU citizens then the GDPR will apply. The definition of ‘personal data’ has expanded from the current data protection regime and now includes any information relating to an identified or identifiable natural person such as a name, email address, biometric data and electronic identifiers such as IP addresses.
No transaction needs to have occurred to bring your client within the ambit of the GDPR. Companies may be collecting data without realising the implications (this applies to a number of our US based clients). Clients should urgently review their marketing practises and websites to see if they are unwittingly or inadvertently collecting personal data.
What if I’m already self-certified under the Privacy Shield?
Certification under the EU-US Privacy Shield will not guarantee total GDPR compliance but it is a good start – it should indicate that your US client is already taking data protection seriously. The Privacy Shield is about the safe transfer of data out of the EU to the US. But data transfer is just a part of GDPR.
Whilst the GDPR recognises The Privacy Shield, it imposes more wide-ranging obligations on data controllers and processors, even where they are based in the US.
Particular factors that a US company will need to consider are:
The alarmist headlines will have told you that penalties for non compliance are severe – data protection authorities being given the power to impose fines for up to €20m or 4% of the worldwide annual turnover for the most serious infringements. It seems unlikely that there will be sanctions anywhere near this other than in the most high profile cases but we will have to wait and see.
What should I be doing to prepare?
We are finding that US companies have a good handle on GDPR from the wealth of information available online yet still require advice on certain aspects. Now is the time to seek legal advice to understand exactly what your clients’ status is under GDPR and what the specific requirements affecting their business are.
Ed Henderson and Stephen Dean are leading on GDPR for LBMW. If you do require any further assistance or wish us to review any of your policies, please get in touch.
Lee Bolton Monier-Williams (LBMW) is a well known, medium sized firm that has been based in central London for more than a century. We represent businesses, organisations and individuals nationally and throughout the world.
View firm profile
RT @Chetcuti_Cauchi: We are organising one-to-one meetings across South Africa from the 28th of April until the 6th of May. Meet us to disc…
Congratulations! #legalexcellence https://t.co/s9mxyenVum
SEC Senior Trial Attorney Howard Fischer joins @MosesSingerLaw: Prosecutor of “The London Whale” and “The Big Short” https://t.co/VfuOA5wVDk