The General Data Protection Regulation (GDPR) comes into effect in the EU in May 2018, but does GDPR apply to US companies, and if so, how?
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation is a new law in the European Union that was approved by the EU Parliament on April 14, 2016. GDPR – Regulation (EU) 2016/679 – will come into effect on May 25, 2018 – the deadline for ensuring compliance with GDPR. GDPR will replace existing privacy legislation (Data Protection Directive 95/46/EC) that was introduced in 1995, updating the requirements for companies and individuals doing business in the EU with respect to data security and privacy.
As the name suggests, GDPR is concerned with the protection of personal data collected from consumers. The update to the legislation is intended to improve the control EU citizens have over their data.
Does GDPR Apply to US Companies?
Naturally, any company or individual based in an EU member state must comply with EU regulations if they conduct business in the EU and collect the data of EU citizens. GDPR also applies to any individual or company doing business in the EU if they are based elsewhere. It does not matter if a company doesn’t have a base in the EU. Compliance with GDPR is mandatory for any company that does business in one or more EU member states and collects, stores or processes the personal or sensitive data of EU citizens.
Even companies that collect only minimal data on consumers will still need to ensure compliance with GDPR. For example, a US company that has a website that collects data on users – including IP addresses – must ensure they are in compliance with the new regulation. The use of cookies is also covered in the regulation.
The definition of personal data in GDPR is “Any information relating to an identified or identifiable natural person.” That includes names, addresses, photographs, email addresses, bank details, posts on social networking websites, medical information, IP addresses etc. It does not matter how that information is collected – Via websites, applications, telephone etc. – GDPR will apply.
Most companies in the United States will be required to comply with GDPR if their website does not have a geographical block that prevents it from being accessed by individuals in EU member states.
Not only does GDPR apply to US companies, there are severe penalties for non-compliance with GDPR. Of course, companies can decide to ignore GDPR, but doing so is likely to prove incredibly costly. The penalty for non-compliance with GDPR is a fine of up to €20,000,000 or 4% of the company’s global annual turnover for the past fiscal year, whichever is the greater.
In addition to the financial penalty, companies will be subjected to audits to ensure policies and procedures have been updated and to ensure the company continues to comply with GDPR.
How Does GDPR Apply to US Companies?
There are various elements of GDPR, although the key points for US companies are the need to have privacy protections in place and for data security measures to be implemented, including end-to-end data protection.
Companies must limit the collection of data to the minimum amount necessary to perform the task for which the data are collected. However, before any data are collected, consumers must be informed that information will be collected and what the information will be used for. After data have been used for that purpose and are no longer required, information must be permanently deleted.
Consent must be obtained from consumers before their data can be collected and used. While the old legislation was based on an opt-out model, GDPR requires consumers to opt-in. Additionally, a list of checkboxes that are already filled out only requiring a click on ‘OK’ will not be sufficient. Consumers – or data subjects as they are known in the legislation – must give informed consent by making a clear affirmative action. In the case of minors, consent must be obtained from the child’s parent or legal guardian before data are collected and used. After consent is provided, it can be withdrawn at any point. Once consent is withdrawn, or on request by the data subject, the company must delete all personal data associated with that individual. Individuals have a right to be forgotten.
If a company’s core activity is data processing, trading or storing data, it is necessary to appoint a Data Protection Officer (DPO). That applies to all public authorities, credit agencies and list brokers. The DPO has the responsibility for ensuring compliance with GDPR across the entire organization. The individual must be suitably qualified, have a sound knowledge of GDPR and must understand the technical and organizational infrastructure of the company.
All employees of a company that are involved in the collection, storage or handling of data must receive training on the requirements of GDPR and how the legislation applies to them and the data they handle.
If you have yet to make a start on GDPR compliance, now is the time to get prepared.