GDPR and the impact on US organisations
Surely it doesn’t apply to me? The purpose of the legislation is to create a single, unified set of rules across the EU for all companies offering services in the EU. We are receiving an increasing number of instructions (including several MSI referrals) from US companies who realise that GDPR does apply to them. It is not too late to seek advice. If your US client holds, receives or comes into contact with the personal data of EU citizens then the GDPR will apply. The definition of ‘personal data’ has expanded from the current data protection regime and now includes any information relating to an identified or identifiable natural person such as a name, email address, biometric data and electronic identifiers such as IP addresses. No transaction needs to have occurred to bring your client within the ambit of the GDPR. Companies may be collecting data without realising the implications (this applies to a number of our US based clients). Clients should urgently review their marketing practises and websites to see if they are unwittingly or inadvertently collecting personal data. What if I’m already self-certified under the Privacy Shield? Certification under the EU-US Privacy Shield will not guarantee total GDPR compliance but it is a good start – it should indicate that your US client is already taking data protection seriously. The Privacy Shield is about the safe transfer of data out of the EU to the US. But data transfer is just a part of GDPR. Whilst the GDPR recognises The Privacy Shield, it imposes more wide-ranging obligations on data controllers and processors, even where they are based in the US. Particular factors that a US company will need to consider are:- whether a Data Protection Officer and/or an EU representative should be appointed;
- whether contracts with processors need to be updated to ensure the processor gives the requisite security guarantees;
- whether the consent of the data subjects is required when marketing; and
- whether they can they comply with the increased information and transparency rights for data