As the General Data Protection Regulation (GDPR) comes into effect in Europe, many American companies are scrambling to comply with its complexities. The GDPR was created with the goal of improving data privacy of individuals within the European Union. However, it’s effect is world-wide because it applies to any company doing business in the EU. Therefore, American companies who have European clients, even if they have not reached out to Europe to explicitly attract those clients, should be aware of the GDPR and how it may affect their business. That is precisely where the problem arises. The GDPR is 260 pages of legalese (not including internal references and footnotes). If you are interested in deciphering it, here’s a link to the GDPR Full Text.
For everyone else, we have put together a short overview of what we believe are the five most important aspects of the GDPR of which you should know. This is not meant to be a comprehensive overview, but instead is a primer to help you get started in complying with this behemoth regulation.
- Does it apply to my business? Simply put, if you do business in the European Union, it is very likely that the GDPR will apply. Specifically, companies that “process personal data” of people from EU countries will be required to comply with the GDPR. Processing personal data is defined extremely broadly by the GDPR to include any operation performed on personal data. Personal data is also defined broadly, and includes any information related to an identifiable person either directly or indirectly. Because courts have not yet had a chance to interpret exactly what these broad definitions include, it is best for you to be on the safe side and assume that if you are using data from clients, partners, or anyone affiliated with your business in the EU, the GDPR will apply.
- How do I comply? Compliance entails first understanding what parts of the GDPR apply to your business. Generally, you may fall into one of two categories- a “Data Controller” or a “Data Processor”. A Data Controller is a person, group of people or entity that “determine[s] the purpose for which and the manner in which any personal data are, or are to be processed.” A Data Processor refers to anyone who processes data on behalf of a data controller. It is likely that most entrepreneurs and small business owners will be considered Data Processors, but determining your status requires an in-depth analysis of what your business does. For Data Controllers, some of the main obligations include making sure that the business is in compliance with the 6 principles related to data processing under Article 5 of the GDPR. These include 1. lawfulness, fairness and transparency, 2. purpose limitation, 3. data minimization, 4. accuracy, 5. storage limitation, 6. integrity and confidentiality. Controllers are also responsible for hiring a Data Processor, if they need one, notifying individuals of any breaches, and maintaining internal records regarding how personal data is being used. For Data Processors, the responsibilities include processing personal data, providing guarantees regarding the security of personal data and compliance with the GDPR, providing the Data Controller with advice and warnings regarding potential data breaches and GDPR violations, and maintaining detailed records regarding all operations he does with regard to individuals personal data.
- When do I need to be in compliance with the GDPR? The GDPR came into effect on May 25, 2018. Therefore, if you are doing business in the EU, you should already be in compliance. If you are not in compliance,you should immediately take steps to become compliant so that you can show a good faith effort to comply. While we do not yet know how stringent enforceability will be (especially with small businesses), it will be important for you to maintain compliance in order to protect your business from penalties and to signal to potential clients and business associates that you will respect privacy and are on top of new regulations. If you need help becoming GDPR compliant, contact your lawyer for first steps.
- What are the penalties for noncompliance? Officially, the penalty for noncompliance with the GDPR is either 4% of the company’s annual global revenue or €20 million (about $23.3 million), whichever is greater. However, as previously mentioned, we do not yet know how stringently the GDPR will be enforced. Although we advise against taking risks with regard to the GDPR, small American companies with only a few European clients are less likely to be targets than large, multinational corporations with millions of clients in the EU. However, there are other, non-monetary penalties that may arise. For example, from a business standpoint, it will not look professional or responsible to not be in compliance with the GDPR if you have clients in the EU.
- Where can I get help in understanding the GDPR and becoming complaint? Any of the resources below could be useful to further educate yourself and become GDPR compliant. While we do not specifically endorse any of these resources, we do suggest that you seek professional help if you feel that you cannot comply with the GDPR on your own.IMB GDPR I BOOK: Here
HelpScout GDPR Overview: Here
MailChimp GDPR Tools: Here
GDPR Experts’ Advice: Here
Please note – the lawyers at Fourscore Business Law are experienced in business matters of many kinds, which give us the opportunity to be involved in tax discussions on a regular basis. However, we are not CPAs or “tax” lawyers. We have many great contacts and refer our clients to them when needed. Please do not take the summary set forth in this article as tax or business planning advice!
Based in the Research Triangle region of North Carolina, Fourscore Business Law serves entrepreneurs and businesses in Raleigh, Durham, Chapel Hill, Wilmington, Charlotte and throughout the Southeast. We also represent venture capital funds and other investors who invest in companies located in New York, Silicon Valley and everywhere between. The idea of delivering maximum impact in a simple and succinct manner is what we’re calling the Fourscore Principle. And that is what Fourscore Business Law is based on. Our clients operate in a broad range of industries including tech, IoT, consumer products, B2B services and more. Questions? Shoot us an email or give us a call at (919) 307-5356. Your first call is on us.