Does the GDPR Affect Companies in the US?

The European Union will introduce new data protection rules in May 2018. The GDPR (General Data Protection Regulation) will be the most significant data security legislation passed in over two decades, and it aims to bring better protection to consumers and businesses throughout the EU. If you do business with clients in countries that fall under EU jurisdiction, then you’ll need to know the impact of GDPR in the US.

What is the GDPR?

The GDPR is a widespread legal framework for data protection in the European Union. The legislation aims to change how companies collect and process data. Rules set by the GDPR will ensure that individuals are aware of data collection and their rights to their personal data.

Key changes that will result from the implementation of the regulations include:

  • Individuals must now explicitly consent to the collection of data.
  • Businesses must take appropriate steps to safeguard the data that is collected, protecting information like names, images, contact details, and financial details.
  • The framework implies that businesses must now have systems that are intended (by nature of design) to protect private information.
  • Individuals in the EU have a right to be forgotten. i.e. they can request that all data held by a company be deleted.
  • Businesses will have a legal obligation to inform their customers when data breaches have occurred.

What is the Impact of GDPR in the US?

If a US business has a European presence and doesn’t comply with new legislation, then hefty fines can be used. These can be up to 4% of total annual revenue, making them costly businesses of any size.

International law can be extremely complicated, and there is very little precedent that exists to illustrate how the European Union would sue an American based company that doesn’t have a physical business presence in Europe.

However, there are other ways that the European Union could make things difficult for United States based companies that don’t comply. Blocking access to websites could be one way that the EU protects their citizens from non-compliant US companies. Smaller businesses would likely not be targeted for legal action, but even restricting access would be damaging enough, and could have a huge financial impact on the offending business.

Any company that wants to collect data from citizens in the EU is advised to ensure compliance with the GDPR. Multinational companies with European offices will be particularly vulnerable to the new regulations.

Does Your Company Need to Change the Way That It Operates?

Your business may already be taking steps to protect the data of your customers, but the solutions may not be designed with GDPR in the US in mind.

The regulations only cover businesses that explicitly target citizens in the European Union. Sufficient evidence of targeting these citizens could include offering services that are marketed for the EU, using EU currency for transactions, or operating with a EU domain name suffix. Companies that offer software services, travel services, and consulting services will likely be impacted. Ecommerce services that target European customers will also likely be subject to the regulations.

One of the biggest changes will be the need for privacy policies and disclosures that obtain explicit consent from a user before collecting data. These policies should not only be present on websites, but there also needs to be a unique point of interaction where a user confirms their consent.

Your company may need to review security of your website and data storage solutions, and new policy may need to be designed to handle both privacy and data breaches.

Compliance will be key for any company wishing to engage in business in Europe, even if that business is simply data collection and marketing. With the right IT consulting team, you can protect the interests of your business will maintaining compliance with GDPR in the US.