Many of our clients that have expanded operations to the USA operate pursuant to a similar structure: A UK limited company establishes a US subsidiary to more effectively penetrate the US market, limit the UK parent’s liability in the USA and more effectively manage cross-border tax issues.
Standing alone, a US subsidiary may not invoke requirements of GDPR, so long as all personal data, data processors and controllers are based in the US. However, this is rarely the case, and the more active a UK parent company becomes in trading with its US subsidiary, the greater are the chances that GDPR will impose requirements on both companies.
Among the myriad reasons for a UK parent to trade with its US subsidiary is management of aggregate tax liability. By way of example, cross-border tax management often takes place through intercompany services between the parent and subsidiary. That is, in order to avoid the higher US corporate tax as well as take advantage of various HMRC tax benefits, the US subsidiary will engage its UK parent to perform services, for which the parent is paid out of pre-tax income of the subsidiary. If those services involve any personal data being passed between the US and the UK, GDPR will become relevant. Especially where intercompany services relate to administration, human resources, marketing or customer relations, as they so often do, the need for compliance with GDPR should be investigated, as there may be a requirement to inform data subjects of the maintenance and disposition of their personal data.
It’s important to note that the term “personal data” is defined very differently in the US and the EU. For our purposes, it’s the EU definition that controls, and that very broadly includes any information from which an individual’s identity can be gleaned, deduced or otherwise traced: ID number (including online identity numbers), location information, other information relating to physical, medical, physiological, financial, relationship status, religious or cultural identity, and many other factors.
If it is determined that personal data is being moved between a US subsidiary and its UK parent, then the next issue to determine, as between the subsidiary and its parent is which if either is the information “processor”, which is the “controller” and whether the GDPR requires any contractual arrangement between or duties from either of them.
Data processors, very briefly, work upon the data, but not with disposition of the data. That is, they collect, organize, alter, store and take similar action with regard to the data. “Controllers”, on the other hand, decide what to do with the data. The processor and controller are each subject to different requirements and protocols, which are beyond the scope of this article. More important for our purposes is that, in certain circumstances, they must work together pursuant to contracts that meet the requirements of GDPR, addressing the nature, objective and duration of data processing; allocating protocols amongst them with written verification of instructions from and compliance with the controller; requirements of confidentiality; and notice of any breaches. On the other hand, in many cases, due to the limited nature and purpose of the information exchanged, GDPR may actually require only limited if any duties of compliance.
While the process of understanding and compliance with GDPR sounds daunting, a sensible, appropriate and systematic approach can work to smooth the transition to compliance with this new regulation and help avoid the potentially serious consequences of non-compliance. Write or call to arrange a consultation.
Don’t forget to subscribe to our US Law & Market Memorandum!