News & Events


For months, you likely have been seeing articles or receiving e-mails on the topic of the European Union’s (EU) new privacy regulations, termed the General Data Protection Regulation (GDPR), which go into effect on May 25th. You may have skimmed them, or you may have hit “delete,” thinking they don’t apply to your small business. But are you sure?

The GDPR is designed to improve and harmonize data privacy laws across Europe, and will apply in each of the EU’s 28 member states. Unlike its predecessor law, however, the GDPR’s obligations extend to any U.S. company that handles the personal data of EU citizens. This would include, for example, any U.S. company that has an Internet presence and markets its products or services over the web, regardless of whether a financial transaction or sale takes place. So if your company collects “personal data” of an EU citizen even as part of a marketing survey, for example, then the data would have to be protected pursuant to the GDPR. And personal data can be something as simple as someone’s name, e-mail address or mobile device ID.

Along with the GDPR’s increased territorial scope, there are also other key changes that U.S. companies should be aware of:

Consent – The requirements for consent to collect personal data have been strengthened. Any request for consent now must be given in an intelligible and easily accessible form, and must be clear and distinguishable from other matters. It also must be as easy to withdraw consent as it is to give it, and once consent is withdrawn, any “data subject” (the person whose data is being collected) also has the right to have his or personal data completely erased.

Rights of data subjects – A data subject now has the right to ask for confirmation that their personal data is being processed, where, and for what purpose. Further, any data subject can request, and a company must provide, a copy of the personal data to him or her, free of charge, in an electronic format. Additionally, notification of a data breach will become mandatory if the breach is likely to “result in a risk for the rights and freedoms of individuals.” Under that scenario, notification must occur within 72 hours after a company becomes aware of the breach.

Penalties – Last but not least, the maximum fines for the most serious infringements are steep. Companies in breach of the GDPR can now be fined either (1) up to 4% of their annual global revenue or (2) up to €20 Million (approximately $24 million USD), whichever is greater. Second tier fines for lesser offenses could be either (1) up to 2% of a company’s annual global revenue, or (2) up to €10 Million (approximately $12 million USD).

While all of this may seem imposing, the reality is that many small companies can comply with the GDPR’s regulations simply by having a good plan in place. What are three basic steps to take?

  • First, evaluate what personal information your company might be collecting, via its website or otherwise, and err on the side of caution that it could include data of EU citizens.
  • Second, ensure any website content clearly asks for consent, and provides information on how consent may be withdrawn.
  • Third, review, update, and/or create a comprehensive internal policy that covers privacy, data protection, and a process to follow in the event of a data breach. A comprehensive policy should be reviewed by members of your HR, IT, and marketing teams, as well as your legal counsel. It also would be a good idea to schedule an annual review of your policy, because certain aspects of the GDPR will become more clear as the regulation is implemented and interpreted.

For a more in-depth look at the GDPR, please click here to access a more comprehensive publication on the topic. If you have any questions, or would like to discuss the applicability of the GDPR to you or your company, please do not hesitate to contact Jennifer HornBrendon Friesen or Ed Patton in our Corporate Law and Business Services Group at (216) 523-1500.