Overview
If you are a compliance professional for a U.S.-based company, you have probably been told at some point that you have to worry about the General Data Protection Regulation (GDPR).
Have you encountered one of these situations?
- A vendor or customer tells you to sign a lengthy and very technical GDPR data processing agreement (“DPA”) as part of your contract.
- You are told to be prepared to respond to a data subject access request (“DSAR”), a burdensome GDPR information request a European citizen might send you.
These scenarios assume that the GDPR applies to your business activities, but that may not necessarily be true. The GDPR is a “long-arm” statute because it reaches some companies that do not have facilities or employees in Europe. However, it is very possible that the GDPR’s arms are not long enough to reach your company.
In other words, while the GDPR “hype” can be anxiety-inducing, your company may not have to worry.
A Refresher: What Is the GDPR?
The GDPR is the law governing data privacy in the 27 countries of the European Union, plus Iceland, Liechtenstein, and Norway. Unlike U.S. data privacy laws, the GDPR applies uniformly to all entities―small or large, public or private―that handle personal information.
The GDPR imposes significant legal requirements on the entities that collect and use personal information (“data controllers”) and gives persons whose information gets collected and used (“data subjects”) strong rights to access, correct, or delete their information.
It’s no secret that complying with the GDPR is a challenge. It has concepts that are unfamiliar in the American legal system, such as the “legal bases of processing” requirement. It also requires you to create documents with both uninformative and intimidating names like ROPA (a “Report of Processing Activities”), DPIA (“Data Privacy Impact Assessment”), and TIA (“Transfer Impact Assessment”).
How Do I Know if the GDPR Applies to My Company?
Article 3.2(a) of the GDPR applies to companies not established in Europe if they offer goods or services to people in Europe. European regulators refer to this section as the “targeting” provision. It covers companies that “intentionally, rather than inadvertently or incidentally” do business in Europe.
Intention is key. Often, the concern is whether minimal interactions in Europe subject a business to GDPR. For example you may worry about:
- A customer traveling to Europe and logging into their account;
- An employee temporarily working in Europe;
- European national customers living in the United States; or
- EU consumers visiting your company’s website.
These factors alone do not necessarily subject you to GDPR without additional evidence that your company is intentionally targeting Europeans.
Questions you will want to ask to determine if your company is targeting European consumers include:
- Do you market products in European languages not used in your own country?
- Do you enable payments in Euros or other European currencies?
- Does your company provide physical addresses or phone numbers in European countries?
- Does your company have a website address that uses a top-level domain associated with Europe (i.e., .eu, .fr, or .de)?
Some combination of these and similar “targeting” factors could bring your company within the GDPR’s scope.
What Steps Should My Company Take?
GDPR is a fact of life for U.S. companies that have decided to do business in Europe, and the costs of noncompliance can be high. If you believe your company targets European consumers, you need to ensure you have the right documentation and procedures in place to provide the protections the GDPR gives them.
But if your business activities do not trigger the GDPR’s jurisdiction, you should not invest your precious time and money in GDPR compliance.
