GDPR - General Data Protection Regulation – Photo Courtesy: Descrier
I thought I would dedicate this blog to one topic that keeps coming up: “As a US business or government organisation, does GDPR affect me?” However, even if you are not based in the United States, I encourage you to continue reading, as the same challenges, restrictions, enforcements and opportunities still apply around the world.
What people are really asking is whether the EU’s new teeth can be brought to bear outside of the EU, and in particular, what influence could it possibly have against an economical giant such as the US. Why should organisations listen, take notice or even be slightly worried? The answer for many small organisations that only trade within the US and have no interest in employing or dealing with any EU citizens data is going to be pretty simple. However, unless you can be absolutely sure that you will not hold, receive or pass through data by any means regarding an EU citizen, no matter where they actually live, then you may need to be a little more attentive.
So let’s try to answer the first question, can the European Union impose a fine or penalty on a US or otherwise external organisation? The simple answer is yes, although the extent of the penalty and how it is enforced will be dependent on many factors, such as:
But yes, the simplest way for the EU to impose a fine or penalty on a non EU-based company is to use local data protection regulations. Increasingly, GDPR is being seen as the standard model for other countries, so you may find yourself subject to local rules based on GDPR compliance principals that impose even greater restrictions and penalties. In other countries, the primary route for ensuring compliance and enforcement will come from the Data Protection Authority. However, a DPA does not exist in the US. The closest equivalent that has jurisdiction over most commercial organisations is the Federal Trade Commission (FTC), as well as a state attorney’s office, which have similar authority over other areas.
The real question is how far does the US Department of Commerce want to go to avoid trade embargos and impediments? We have already seen that the US-EU Safe Harbour self-certification program “PrivacyTrust”, formally “eTrust”, fell short of required European Commission requirements and has been replaced by Privacy Shield. In the meantime, this forced cloud providers to establish data centres and data policies that favour the EU territories. There is also an underlying desire by governments to protect its citizens and organisations wanting to be taking a moral stand on how personal information is handled and used. On many occasions, we have heard that the European Commissions’ data protection and data privacy policies are leading the way for the rest of the world. We also need to note that many countries have stronger regulations within their own boarders that need to be adhered to. So the practical upshot is that US companies will be under pressure to adhere to GDPR requirements if they wish to trade with or pass data through the EU, and this will be backed up by a desire to make sure any failures will be enforced by the US government in a desire to prove itself as a desirable platform for ecommerce.
It is important to remember that you will be competing both as a country and as a business against those that handle personal data to the high standards laid out by GDPR. Companies that have a strong moral compass and verifiable good data practices will do well as we move into this new era of ethical e-commerce where individuals have the ability to choose to be adequately protected.
I would be interested to see or initiate discussions concerning European companies that are also USG contractors. How can European USG contracts reconcile the GDPR requirements for purging documentation verses the USG FAR requirements for maintaining documentation.