GDPR Compliance Requirements and Implications for US Companies

GDPR - General Data Protection Regulation – Photo Courtesy: Descrier

I thought I would dedicate this blog to one topic that keeps coming up: “As a US business or government organisation, does GDPR affect me?” However, even if you are not based in the United States, I encourage you to continue reading, as the same challenges, restrictions, enforcements and opportunities still apply around the world.

What people are really asking is whether the EU’s new teeth can be brought to bear outside of the EU, and in particular, what influence could it possibly have against an economical giant such as the US. Why should organisations listen, take notice or even be slightly worried? The answer for many small organisations that only trade within the US and have no interest in employing or dealing with any EU citizens data is going to be pretty simple. However, unless you can be absolutely sure that you will not hold, receive or pass through data by any means regarding an EU citizen, no matter where they actually live, then you may need to be a little more attentive.

So let’s try to answer the first question, can the European Union impose a fine or penalty on a US or otherwise external organisation? The simple answer is yes, although the extent of the penalty and how it is enforced will be dependent on many factors, such as:

• local due process
• current unilateral trade agreements
• whether you are exclusively based in the US or have an EU presence
• or whether you have a presence in a country outside of the EU, but which has strong ties to the EU through trade agreements

But yes, the simplest way for the EU to impose a fine or penalty on a non EU-based company is to use local data protection regulations. Increasingly, GDPR is being seen as the standard model for other countries, so you may find yourself subject to local rules based on GDPR compliance principals that impose even greater restrictions and penalties. In other countries, the primary route for ensuring compliance and enforcement will come from the Data Protection Authority. However, a DPA does not exist in the US. The closest equivalent that has jurisdiction over most commercial organisations is the Federal Trade Commission (FTC), as well as a state attorney’s office, which have similar authority over other areas.

The real question is how far does the US Department of Commerce want to go to avoid trade embargos and impediments? We have already seen that the US-EU Safe Harbour self-certification program “PrivacyTrust”, formally “eTrust”, fell short of required European Commission requirements and has been replaced by Privacy Shield. In the meantime, this forced cloud providers to establish data centres and data policies that favour the EU territories. There is also an underlying desire by governments to protect its citizens and organisations wanting to be taking a moral stand on how personal information is handled and used. On many occasions, we have heard that the European Commissions’ data protection and data privacy policies are leading the way for the rest of the world. We also need to note that many countries have stronger regulations within their own boarders that need to be adhered to. So the practical upshot is that US companies will be under pressure to adhere to GDPR requirements if they wish to trade with or pass data through the EU, and this will be backed up by a desire to make sure any failures will be enforced by the US government in a desire to prove itself as a desirable platform for ecommerce.

To summarise;

• A large number, but not all US-based organisations, will have the requirement to demonstrate compliance with GDPR. This especially applies to those with a physical presence in any EU country or territory that trades within the EU, such as the UK after its exit, as these countries will be implementing GDPR as their own local laws. 
• The US authorities and federal government will have a desire to ensure organisations adhere to these regulations in an effort to protect its own ability to trade. Infringements will be supported by the best appropriate method at the request of the European Commission.  
• It won’t just be the EU that is trying to enforce such high standards in data protection, as many other countries around the world adopt the same or similar stringent policies in order to both remain an effective trading partner as well as its moral obligation to individuals’ rights.
• Local laws will still be in effect in conjunction with GDPR and affect not just where the data resides, but come into play based on where it is used and transferred through. Don’t forget that you will need to consider the local data regulations for every country that your data passes through.
• Data protection is not just about fining organisations. There are a great number of criminal actions that will be taken against individuals responsible within a business.
• A data processor is any organisation that takes part in the data lifecycle. So even if you only store the data for a company or simply collect and instantly pass on to the owner, you are classified as a processor and therefore impact the assessed risk to that data. This means that your customers be it an individual or multiple organisations will be deciding to do business based on the level of risk you pose as a data processor. 

It is important to remember that you will be competing both as a country and as a business against those that handle personal data to the high standards laid out by GDPR. Companies that have a strong moral compass and verifiable good data practices will do well as we move into this new era of ethical e-commerce where individuals have the ability to choose to be adequately protected.