Apr 2, 2018 - Justin Emond

For U.S.-based companies, GDPR risk isn’t as low as you might think

By now, you have probably heard of the onerous new European Union (EU) regulations called the General Data Protection Regulation (GDPR) going into effect on May 25, 2018. You have probably also heard that the fines for GDPR violations are stiff—up to 4% of a company’s annual revenue—and that the requirements for compliance are just as frightening as the fines. But what is less well-known is how at-risk US companies without EU operations are. To understand why this question is so hard to answer, we need to look more closely at the heart of the regulations.

GDPR is the most sweeping regulatory update to EU data privacy laws ever in the Internet era — and mandates the most robust protections in the world—introducing widespread new requirements that impact a substantial portion of the global digital economy. The Content Advisory aptly summarizes the changing landscape in its excellent report on GDPR by describing data availability moving from “super abundance” to “scarcity;” data culture moving  from “data predators” to “data shepherds;” and data strategy moving from “big data” to “beg data.”

GDPR introduces three key changes, each important to grasp to fully appreciate the scope of the new regulatory reality coming on May 25. The first key change is the eye-popping penalties we mentioned above. The second key change—the concept of how users consent to give data to an organization—is the essence of how GDPR will impact your customer journey and experience. You can learn more about the impacts of this second key change and the dos and don’ts of compliance in our GDPR resource overview page.

It is the third key change that is crucial to assessing how the new regulations will affect your company. Most succinctly described as extra-territorial applicability, GDPR focuses not on the location of where the data is stored—a dubious definition in this digital era—but the nature of the data, and more specifically, the person the data describes. Putting the obligations of the regulations on the nature of the data regardless of where it is stored very intentionally defines the global scope for enforcement of violations. The fact that written into GDPR itself is a mention that enforcement must conform to international law is further evidence of the anticipated global scope of the regulation. This is made all the more clear as the regulations do not differentiate between data gathered intentionally and data gathered accidentally. If the data is about EU citizens, the GDPR applies and, at least in some situations, EU regulators can and punish violators.

Unfortunately, the global scope of the GDPR’s third key change is what makes the risk for U.S.-based companies without formal EU presence rather ambiguous.  Even without a business operation, entity, or physical presences in the EU, your organization may still run the risk of incurring GDPR fines. The key to identifying risk lies in marketing. If you have microsites with EU country TLDs, maintain marketing language in one of the EU member countries language, or run ads targeted at EU citizens, and you collect personally identifiable data like an IP address, you will likely have to comply with GDPR. And remember that the GDPR applies to data collection whether or not it involves commerce; no financial transaction is necessary to trigger compliance requirements.

However, you might argue or assume that without a subsidiary, bank account, or operation in the EU that it’s not possible for officials to levy fines. Unfortunately, that isn’t always the case. In a recent article, Linda V. Priebe, a current partner at Culhane Meadows and former government lawyer for three White House administrations, describes how various international agreements between the US and the EU—and for that matter, between the US and individual EU member countries— could be used to enforce violation fines.

Ms. Priebe also brings up another crucial point:  the EU is a collection of member countries, each with its own agency to enforce GDPR violations, and each with its own departmental priorities, different ruling administrations, and local politics. Even if one country decides to focus on domestic organizations or foreign entities with established operations in their own countries, there is nothing to stop other member countries from taking a global, ambitious scope to enforcement. Ms. Priebe smartly points out that last November, Germany started a data investigation of 500 U.S. companies, large and small, that did business with German citizens. Only time will tell how enthusiastic the GDPR German regulators turn out to be, but past behavior is telling.

On to our most critical question: How should US organizations without business operations in the EU assess their GDPR risk? The most prudent course of action is to conduct a GDPR risk assessment, in which you audit a variety of existing operations across the marketing and IT divisions of your company. For larger organizations, it may be most useful to create a survey using a tool like Google Forms and have marketers fill it out. You need to ask about and inventory all marketing efforts, offline and on, and identify any that are targeted at EU citizens—intentionally or not. Look at the language, domain, and scope of marketing efforts. Include questions that seek to identify internal databases ——that store customer information—things like Marketo, Salesforce, and Pardot—how that data flows into and out of those databases, and the people responsible for how it’s used. Map this against an inventory of every customer information capture touchpoint in your entire customer journey, from web forms to surveys and referral systems.

Lastly, perform an inventory of all of the third-party tools that run on every single one of your digital properties. This will help you identify all of the data you are capturing about EU citizens through agreements with these third parties, outside of your internal IT systems, processes, and controls. (Remember, even the lowly IP address is considered protected information by the GDPR.) Common integrations like Google Analytics will be compliant, but it’s likely at least one of them isn’t.

With this inventory and audit complete, you can create an visual summary of the landscape of risk so that you can have informed discussions with counsel and marketing and IT leadership. If you determine that GDPR compliance is required, you also will have all the information you need to quickly create an effective compliance roadmap, so you and your team can get to work.

Note: This article does not constitute legal advice. Organizations should seek advice from counsel on their GDPR risk.

“The GDPR Launches a New Era for Customer Experience Management” https://www.bloomreach.com/en/resources/whitepapers/the-gdpr-launches-a…
“GDPR Key Changes” https://www.eugdpr.org/key-changes.html
“Yes, The GDPR Will Affect Your U.S.-Based Business” https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-…