Knowledge & Opinions
02 May 2018

GDPR and the impact on US organisations

With just a few weeks to go until the General Data Protection Regulation, commonly known as “GDPR” becomes law on May 25th 2018, what do your US clients need to be doing? Ed Henderson of MSI UK London based law member Lee Bolton Monier-Williams provides further insight.

Surely it doesn’t apply to me? The purpose of the legislation is to create a single, unified set of rules across the EU for all companies offering services in the EU. We are receiving an increasing number of instructions (including several MSI referrals) from US companies who realise that GDPR does apply to them. It is not too late to seek advice. If your US client holds, receives or comes into contact with the personal data of EU citizens then the GDPR will apply. The definition of ‘personal data’ has expanded from the current data protection regime and now includes any information relating to an identified or identifiable natural person such as a name, email address, biometric data and electronic identifiers such as IP addresses. No transaction needs to have occurred to bring your client within the ambit of the GDPR. Companies may be collecting data without realising the implications (this applies to a number of our US based clients). Clients should urgently review their marketing practises and websites to see if they are unwittingly or inadvertently collecting personal data. What if I’m already self-certified under the Privacy Shield? Certification under the EU-US Privacy Shield will not guarantee total GDPR compliance but it is a good start – it should indicate that your US client is already taking data protection seriously. The Privacy Shield is about the safe transfer of data out of the EU to the US. But data transfer is just a part of GDPR. Whilst the GDPR recognises The Privacy Shield, it imposes more wide-ranging obligations on data controllers and processors, even where they are based in the US. Particular factors that a US company will need to consider are:
  • whether a  Data  Protection  Officer  and/or  an  EU  representative  should  be appointed;
  • whether contracts with processors need to be updated to ensure the processor gives the requisite security guarantees;
  • whether the consent of the data subjects is required when marketing; and
  • whether they can they comply with the increased information and transparency rights for data
Penalties The alarmist headlines will have told you that penalties for non compliance are severe - data protection authorities being given the power to impose fines for up to €20m or 4% of the worldwide annual turnover for the most serious infringements. It seems unlikely that there will be sanctions anywhere near this other than in the most high profile cases but we will have to wait and see. What should I be doing to prepare? We are finding that US companies have a good handle on GDPR from the wealth of information available online yet still require advice on certain aspects. Now is the time to seek legal advice to understand exactly what your clients’ status is under GDPR and what the specific requirements affecting their business are. Ed Henderson and Stephen Dean are leading on GDPR for LBMW. If you do require any further assistance or wish us to review any of your policies, please get in touch.

Related Firms

Return to listing