How Did GDPR Impact US Companies?

Being a technology lawyer in Silicon Valley – the home of start-ups and innovation Emily Jones, Partner at Osborne Clarke has seen technology regulations become more complex over the years, especially as legislators try to catch up with rapid technology development and balance the potential impact of regulation on innovation, competition, and consumer protection. This month, she speaks more on GDPR and its impact on the US.

With privacy being an ever-growing issue, what do you think the future holds for data privacy issues?

We are entering a new era of data privacy where these issues will continue to be front of mind for businesses and consumers.  Whilst companies have recently been very focussed on the implementation of the EU GDPR, many other jurisdictions, including Singapore, India and California, are introducing their own data privacy laws.  This makes it increasingly challenging, as well as costly and time-consuming, for companies to operate globally.  It also highlights the importance of getting the right local law advice and adopting the right compliance strategy.

When delivering data compliance strategies, what are three things you must consider beforehand?

A successful data compliance strategy needs senior level buy-in, combined with company-wide awareness and support to ensure that it is delivered effectively.  It’s also essential to have engaged with the relevant parts of the business at the outset to understand the organisation’s current and future plans, for example, any new product developments or growth into new markets.  Finally, companies should think carefully about their approach to risk (including reputational risk), especially in the context of their role in the data eco-system and how their customers or users will expect them to approach data compliance.

In your experience, how did the EU GDPR impact US companies and your clients? How did you work around challenges these changes presented?

US companies were significantly impacted by the EU GDPR, largely due to the fact that many US companies were having to consider compliance with European data protection laws for the first time.  Their European customers and users were also demanding detailed information and reassurance that their US vendors were compliant.

One of the initial challenges for US companies related to understanding key GDPR concepts, such the scope of personal data, which is much broader than the term PII used in the US.  We worked to overcome this challenge by providing lots of training and explanatory guides for our clients, which they could then use with key stakeholders internally.  We also created summaries and white papers that US companies could use to demonstrate to their approach to compliance to European customers.

Many US technology companies use vast amounts of data in complex and innovative ways that are core to their business models.  This meant that there were challenges in applying the principles in GDPR at the outset.  One key first step to address this was to make an initial assessment to understand the nature, scope, volume, location and uses of personal data within a business.  We helped clients mapping out and advising on the key steps that the company would need to take to comply and which to prioritise.

Another challenge was building an internal governance framework and data privacy-related policies and procedures to address the additional GDPR obligations around record keeping, security, data subject rights, accountability and impact assessments.  We helped many clients to put in place accessible and straightforward documentation to achieve this.  We have created and will continue to develop a number of new products and also offer technology solutions to help companies deal more efficiently and quickly with high volumes of data subject access requests, for example.

Is there anything you would like to add?

Going forward, we anticipate further regulatory guidance, enforcement action to occur, but also commercial practices to evolve and stabilise.  This will provide some much needed certainty for companies in both the US and in Europe who continue to face compliance challenges in this area. To find out more and to read our latest insights, readers can visit our GDPR hub.

Emily Jones

Partner

T +1 650 714 6386

www.osborneclarke.com

Emily Jones is a Partner at Osborne Clarke LLP and head of their Silicon Valley offices. Emily and her team also provide international legal expertise in time-zone and connect our clients with  specialists around the world to advise on a full range of legal issues. 

Osborne Clarke is an international legal practice with 25 offices, 740+ lawyers and 250+ partners across Europe, Asia and US.