What impact will GDPR have on companies based in the United States and outside the EU?

Seamus Clifford, Partner & Head of Business Services at Ellisons Solicitors

"In our experience, there are a raft of smaller, but still substantial businesses based in the US and elsewhere that will be caught by the extra-territorial reach of GDPR, but that haven't to date had the knowledge or resources to put in place a compliance regime."
Seamus Clifford, Partner, Ellisons Solicitors

The lawyers at UK law member Ellisons have spent recent months supporting clients in the UK and beyond in their efforts to ensure compliance with the EU's new General Data Protection Regulation (GDPR) ahead of the 25th May implementation date. UK solicitors Seamus Clifford and Jon Bloor explain in this short article how businesses outside the EU, particularly in the United States, may, through the nature of their activities, get caught up in GDPR. Moreover, they explain the extra-territorial reach of the EU's new data protection regulations, the practical steps companies may need to go through to ensure they do not fall foul of the new requirements in EU member states, and how Ellisons can, through their Alliott Group worldwide professional connections, help international clients to get the right advice on GDPR and a wide range of related business challenges.   

Confusion over GDPR among companies incorporated outside the EU

Over the last few months, it has become clear that a number of our contacts and clients outside the EU don't have a clear understanding of the impact the GDPR may have on them.

Article 3(2) of the GDPR (Territorial Scope) makes it clear that the GDPR also applies to businesses that are incorporated outside the EU. This means that any business that processes the personal data of EU subjects with a view to offering goods and services in the EU (including free services), or monitoring their behaviour in the EU, will be within the scope of the GDPR.

Types of businesses most likely to be subject to GDPR compliance

This will catch a wide range of businesses, but it will clearly apply to online retailers, Software and Service providers, social media platforms and mobile app developers to the extent they provide services to EU citizens.

As a starting point, Article 27 of the GDPR requires these businesses to appoint a representative within an EU member state unless they fall within a very limited exemption based on their processing being "occasional", not including any large scale processing of sensitive data and unlikely to result in a risk to the rights and freedoms of natural persons. This will be a very difficult test to satisfy for any business which regularly deals with EU citizens.

This representative can be subject to enforcement action in the event of GDPR non-compliance, but this does not mean that the non-EU data controller themselves are able to avoid this.

Practical steps

Instead, the non-EU data controller themselves will also be subject to the full GDPR compliance regime in connection with their processing of this data. This is very extensive (as businesses in the EU have found over the last months), but in terms of practical steps would include as a minimum:

• Issue of GDPR-compliant Privacy Notices to customers
• Adoption of appropriate internal policies and procedures in relation to data privacy, security, breach notification and rights of data subjects
• Putting in place compliant controller/processor agreements with any organisations processing data on their behalf; and
• Record keeping (and potentially maintenance of detailed processing records) to comply with the "accountability" requirement to be able to produce evidence of compliance with the GDPR.

Financial penalties

The regime of financial penalties under the GDPR will also apply to these non-EU data controllers. While the maximum levels of €10,000,000 or 2% of global turnover or €20,000,000 or 4% of global turnover (the greater in each case) may be unlikely to be seen in the short term, the level of penalties will clearly be of significant concern. 

Jurisdiction-specific issues

There may also be specific issues in some jurisdictions. For example US companies would not typically regard an IP address as "personally identifying information" for data protection purposes, while under the GDPR this can clearly constitute "personal data".

Larger companies are ready, but not their smaller counterparts

The larger technology companies are used to looking at these kinds of cross-jurisdictional issues and have generally taken the appropriate steps well in advance of the 25th May.

However, in our experience there are a raft of smaller, but still substantial, businesses based in the US and elsewhere that will be caught by the extra-territorial reach of GDPR, but that haven't to date had the knowledge or resources to put in place a compliance regime.

Visit our GDPR Resource Hub

• Confused about GDPR? Dive into our Resource Hub

Initial leeway likely to give way to penalties in the event of non-compliance

Whilst 25th May will come and go, the importance of complying with the GDPR has not diminished, and indeed the likelihood of enforcement action and penalties by supervisory authorities will only increase as time goes on and any informal latitude which might be given initially falls away.

As such, it is critical that any non-EU business that are carrying out this kind of processing look at undertaking a data protection audit and the GDPR compliance exercise without delay.

Get advice on GDPR

With Ellisons' background of advising a wide range of UK based companies on the GDPR compliance, and their international reach via membership of Alliott Group, the firm is ideally placed to assist. Contact Seamus Clifford and Jon Bloor for more information.