European Union: Potential Challenges GDPR Presents To American Companies

The EU General Data Protection Regulation (GDPR) will come into effect on May 25, 2018, replacing the current applicable Data Protection Directive.

The GDPR is complex and comprehensive and aims to harmonize data privacy laws across Europe, protect the privacy of EU citizens' personal information, and regulate the manner in which organizations in Europe or with European operations handle data privacy. Below we outline some key provisions of the GDPR that will impact American companies and the potential challenges they present.

Wider Scope & Enforcement

The GDPR applies not only to companies located within the EU but also to organizations located outside the EU if they offer goods or services to, or monitor the behavior of EU data subjects. For example, an online retail company that is solely located in the US, but allows purchases and deliveries to EU citizens, would be subject to the GDPR.

The GDPR applies both to data controllers (companies that determine the purpose and means of processing personal data) and data processors (companies that process personal data on behalf of data controllers). While a controller must comply with all obligations set out in the GDPR, the regulation also introduces direct obligations on processors. Both controllers and processors are subject to enforcement action for non-compliance by supervisory authorities.

A controller located outside the EU must appoint a representative in one of the member states in which the controller offers goods or services or monitors EU residents, unless the processing is occasional, small scale, and does not involve sensitive personal data.

The GDPR defines personal data broader than the US privacy laws, and includes any information that can identify a data subject, directly or indirectly, by reference to an identifier (including publicly available information) such as a name, an identification number, location data, an online identifier, or information pertaining to the physical, physiological, health, genetic, mental, economic, cultural, ethnic, religious, or social identity of a data subject.

Like US privacy laws, the regulation covers unauthorized access to or acquisition of personal information; however the GDPR also considers an accidental or unlawful destruction, loss or alteration of personal data to constitute a breach.

Fines imposed for violations of the GDPR are to be "effective, proportionate and dissuasive." Supervisory authorities have the powers of conducting audits, issuing orders to cease operations for non-compliance, and to impose substantial fines. For minor non-compliance, fines can be up to EUR 10,000 or up to 2% of worldwide annual turnover of the preceding financial year, whichever is greater. More serious breaches can result in fines of up to EUR 20,000,000 or 4% of total worldwide annual turnover in the preceding financial year, whichever is greater. The availability of such substantial fines is a great concern for US companies and an incentive to understand and comply with the regulation.

Action Point: To achieve compliance and avoid potential enforcement action, US companies who offer goods or services to EU citizens or monitor their behavior have to be aware that they are subject to the GDPR, learn their obligations under the regulation and familiarize themselves with the regulation's definition of personal data and its key provisions (discussed below), appoint a representative in the EU if their operations are not occasional or small scale, implement required data handling practices and procedures and devise compliance plans (discussed below), and train their work force.

Key Provisions Impacting US Companies

Data Subject Rights

A fundamental objective of the GDPR is to protect and enhance the rights of data subjects. The key rights of data subjects include:

  • Right of access and rectification. Data subjects have a right to request their personal data and receive it in an intelligible format within one month of such request, as well to request rectification of their personal data if it is inaccurate. The controller must give effect to data subjects' rights of access, rectification, erasure, and the right to object to profiling or direct marketing, free of charge.
  • Right of data portability. Under the right of data portability, a data controller must provide the data subject with a copy of the data subject's personal data in a structured, commonly used and machine readable format and not hinder the data subject's transmission of personal data to a new data controller.
  • Right to transparency. Controllers must provide certain minimum information to data subjects regarding the collection and processing of their personal data. Controllers must provide subjects with concise, transparent, intelligible, and easily accessible information about the processing of their personal data.
  • Right of erasure. Data subjects have the right to erasure of personal data (the "right to be forgotten") if the personal data is no longer necessary for the purpose for which it was originally collected, or when the individual withdraws consent and there is no overriding legitimate interest for continuing the processing. But, a controller may keep personal data to comply with a legal obligation, for public health purposes in the public interest, archiving purposes in the public interest, scientific research, historical research or statistical purposes, or for the defense of legal claims.
  • Right to object to profiling and direct marketing. The GDPR defines "profiling" as "any form of automated processing of personal data consisting of the use of personal data to evaluate personal aspects relating to a natural person; in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements." Under GDPR, data subjects have a right to not be subject to a decision based solely on profiling which produces a legal or other similarly significant effect.

Action Point: US companies should establish policies and procedures to promptly address personal data requests from data subjects, to provide access to and correct any inaccurate data, provide the data in specified format as requested, transfer data to another data controller, inform data subjects about how their data is collected and processed, and handle erasure requests where appropriate. An organization should also update its data retention policy to ensure it retains data within the legal and regulatory parameters, and only for the specific periods of time for which the personal data was collected in the first place. US companies should evaluate their profiling activities and whether such activities require data subjects' consent.

Fair Processing Notices

Under the GDPR, a controller must provide detailed information to data subjects regarding any intended processing of personal data. The required privacy notice must be concise, and provide in clean and plain language the following information: identity of controller; purpose of the processing; the controller's contact details; the legal basis of the processing; the data retention period; a reference to the data subject's rights under the GDPR; and information on international transfers and safeguards applied to such transfers. Where the personal data is not obtained directly from the data subject, the notice should also identify the source of the personal data.

Action Point: US companies should review their privacy notices and update them to include the specific information required by the GDPR.


Under GDPR, organizations must have a lawful basis for all of their data processing activities. If an organization relies on consent as the lawful basis for its data processing activities, it must ensure that data subjects are provided with a clear explanation of the processing to which they are consenting. This includes the consent mechanism is genuinely voluntary and "opt-in" and that data subjects can easily withdraw their consent. Additionally, consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.

Action Point: US companies should review their privacy policies and consent provisions because, under the GDPR, consent must be provided in the form of a clear, affirmative action by the data subject.


The GDPR requires controllers to demonstrate they comply with the GDPR through policies and procedures. Further, both controllers and processors must maintain records of processing activities that include details such as retention periods, transfers of personal data, and recipients of the data. The required policies, procedures, and processing records must be produced to the supervisory authorities upon request.

The GDPR also introduces the concepts of data protection by design and by default. Data protection by design requires controllers to implement appropriate technical and organizational measures to protect the rights of data subjects and ensure compliance with the regulation. Data protection by default means that controllers have to implement appropriate technical and organizational measures to ensure that only personal data that is necessary for processing for a specific purpose is processed.

Lastly, the GDPR requires that companies perform privacy impact assessments ("PIAs") where processing activities present a high risk to the rights and freedoms of data subjects (e.g., large scale processing of special categories of data). The PIA should contain a description of the processing, including the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing; an assessment of the risks to the rights and freedoms of data subjects; and the safeguards and measures to protect against these risks.

Action Point: Data privacy professionals at US companies work closely with management, product teams, and engineering teams to ensure that proper records are maintained demonstrating compliant data processing activities, and that appropriate technical and organizational measures ensuring compliance with the regulation are implemented with respect to existing products and services and built into newly developed products and services. In addition, US companies that handle personal data on large scale have to perform PIAs.


The GDPR requires both controllers and processors to handle personal data in a way that ensures appropriate security and protects against unauthorized and unlawful processing, and implement a level of security that is appropriate to the risk, including pseudonymisation and encryption of personal data, ensuring ongoing confidentiality and integrity of processing systems and services, ability to quickly restore availability of personal data in the event of a security incident, and regular evaluation and testing of security measures.

Action Point: US companies should perform thorough evaluation of their data processing practices and procedures, implement a level of security that is appropriate to the data handling risk, and review and update these practices and procedures frequently for GDPR compliance.

Breach Notification

The GDPR introduces mandatory personal data breach reporting requirements to all companies subject to the regulation. Controllers will be obligated to report breaches to the relevant supervisory authority without undue delay, and where feasible, not later than 72 hours after they first become aware of the breach. It is not necessary to notify a personal data breach where it is unlikely to result in a risk to the rights and freedoms of data subjects.

Personal data breaches must also be notified to data subjects where the breach is likely to result in a high risk to the rights and freedoms of the data subjects. Notification to data subjects is not required if the controller has implemented appropriate security measures that render the personal data unintelligible to any unauthorized person (e.g., through encryption), the controller has taken subsequent measures to ensure the high risk to data subjects does not materialize, or it would involve disproportionate effort, in which case a public communication will suffice.

A processor responsible for the breach is required to notify the controller that owns the affected personal information, without undue delay.

Action Point: Given the very short deadline for notification, US companies should develop detailed notification action plans and identify in advance the appropriate authorities that need to be notified. Companies should also familiarize themselves with the thresholds that trigger the notification requirement under GDPR, as these thresholds differ in many aspects from the US breach notification laws.

Data Protection Officers

The GDPR requires controllers and processors to appoint a data protection officer (DPO) if they are a public entity, if the organization's activities involve regular and systematic monitoring of personal data on a large scale, or if the organization processes data relating to criminal convictions and offenses or other sensitive personal data, on a large scale.

Action Point: US companies should evaluate whether they are required to appoint a DPO. For larger organizations, the DPO may require a support team in order to carry out the DPO role effectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
In association with
Practice Guides
by Mondaq Advice Centers
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Akin Gump Strauss Hauer & Feld LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions