General Data Protection Regulation (GDPR)

Europe’s data privacy regulation, the General Data Protection Regulation (GDPR), was enacted to harmonize data privacy laws across the European Union. In an increasingly globalized society, the GDPR has an undeniably expansive reach, forcing companies outside the EU to consider their obligations under the regulation. We work alongside innovative companies to help them achieve GDPR compliance and mitigate the risks associated with the collection and use of consumer data.

Home » Practices » Privacy & Data Security » GDPR

How Can We Help? Let's Talk

Challenges for American Companies

Companies based in the United States have faced substantial challenges in implementing and maintaining the necessary systems and procedures to remain compliant with the GDPR. The following are some of the most notable challenges for American companies related to GDPR compliance.

Adopting Specific Processes to Meet Substantial Requirements

The GDPR imposes cumbersome responsibilities on organizations. Often, addressing these responsibilities requires the adoption of specific processes to structure and formalize certain areas of business. As the GDPR requires companies to keep up-to-date records of their activities aimed at data protection, and also requires organizations to notify regulators of data breaches in a specified timeframe, businesses must implement protocols to meet these demands.

Hefty Fines and Sanctions for Noncompliance

Companies found in violation of the GDPR may be banned, temporarily or permanently, from processing personal data and/or, may be fined up to EUR $20 million or 4% of their global revenue for each violation. The idea behind such aggressive penalties is to make noncompliance prohibitively expensive, thereby incentivizing companies to adhere to the requirements of the GDPR.

Vagueness of Language

Uncertainty about the meaning of certain terms included in the GDPR is one of the largest hurdles to compliance. Vaguely defined terms such as “undue delay” and “reasonable level or protection” leave room for interpretation by regulators and courts. This ambiguity poses major challenges to companies that wish to mitigate the risk of noncompliance.

What Is the Difference Between a Controller and a Processor?

The GDPR draws a distinction between “controller” and “processor” as it relates to compliance obligations. A controller is a legal or natural entity that determines the purposes and means of processing personal data.

A processor, on the other hand, engages in data processing on behalf of the controller. Since processors act on behalf of the controller, they serve the controller’s interests instead of their own and operate under the authority of the controller. Data processors face their own set of compliance standards and must take appropriate measures to process data in line with GDPR rules and regulations.

Understanding GDPR Compliance Requirements for American Companies

One of the challenges businesses face when operating internationally is maintaining compliance with the regulatory patchwork of consumer privacy and data protection requirements that exist around the world. GDPR does offer the advantage of consistency across EU member nations, but companies based in the United States must still face the challenges of determining whether GDPR applies to their business, and if so, developing and adopting a comprehensive compliance program dedicated to GDPR –– a set of regulations which differs in important ways from consumer data privacy protections in the United States.

One of the largest of these challenges consists simply in recognizing that GDPR may apply to American companies. Particularly for businesses that operate partly or primarily online, websites and other digitally-networked means of communication open the door to EU customers –– which means that they also have the potential to expose businesses to legal consequences for failure to comply with GDPR requirements, even if the organization does not maintain a physical presence within a European Union member state. A 2021 analysis by Zendata of 1,000 websites maintained by companies in the United States found that 67% fell short on GDPR compliance.

The European Union’s GDPR Checklist for US Companies can be a helpful first resource for many American companies starting their GDPR compliance journey, but the complexity of EU guidelines and the ways in which the European regulatory system differs from that prevailing in the United States makes it advisable to work with experienced counsel offering targeted guidance and assistance in creating a comprehensive compliance program designed to satisfy both European consumers and regulatory authorities. Developing –– and demonstrating –– a strict protocol for maintaining GDPR compliance is one of the most important and effective strategies for American businesses to minimize unnecessary legal exposure.

General Data Protection Regulation (GDPR)

What Is the Difference Between a Controller and a Processor?

Understanding GDPR Compliance Requirements for American Companies

Related Attorneys

Michele Shuster

Helen Mac Murray

Nick Whisler

Lisa Messner

Josh Stevens

Chris Wager

Betty Montgomery

Erica Hollar

Walter (Chad) Blackham

Aaron Parry

General Data Protection Regulation (GDPR)

What is the GDPR?

Challenges for American Companies

Adopting Specific Processes to Meet Substantial Requirements

Hefty Fines and Sanctions for Noncompliance

Vagueness of Language

What Is the Difference Between a Controller and a Processor?

Understanding GDPR Compliance Requirements for American Companies

Related Attorneys

Michele Shuster

Helen Mac Murray

Nick Whisler

Lisa Messner

Josh Stevens

Chris Wager

Betty Montgomery

Erica Hollar

Walter (Chad) Blackham

Aaron Parry