How the GDPR can Affect US-Based Businesses

This May of 2018, the EU’s General Data Protection Regulation or the GDPR has come into effect enforcing high fines for violation of the GDPR along with the requirements of 72-hour breach reporting, the “right to be forgotten” and the stronger consumer consent, among others.

Of course, as this is a largely EU-centred regulation, all EU companies and multi-national companies that do business with the EU are expected to comply, else they face repercussions. This begs the question of whether companies who do not have any business with any of the EU nations have to comply or not, most especially US companies who only have business in the US.

Unfortunately, all companies who market their business over the internet will have to review the GDPR and adjust in compliance.

In this article, we will discuss how the GDPR affects US businesses and what you can do to avoid GDPR violations and penalties.

GDPR’s Territorial Scope

As mentioned earlier, whether you do business with EU nations or not, you will still have to comply to some of the regulations. To briefly explain why, here’s an excerpt from the Article 3 of GDPR:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Section 1 means that collecting personal or behavioural data from someone in an EU nation is subject to the GDPR. Take note that this applies to EU collecting data in an EU country. Collecting personal and behavioural data from an EU citizen in a country outside of the EU is not subject to the GDPR.

Section 2 means that financial transaction is not required for the scope of the GDPR to take effect. Any personal data collected from EU as part of marketing surveys will be protected by the GDPR.

Section 3 is another complicated clause. What makes this complicated, however, is that data acquired from generic marketing doesn’t count as being protected. The requirement would be for the marketing to be in the primary language of the country targeted and that there are references to EU customers for the GDPR to apply.

Businesses likely to fall under these would be US-based travel companies, businesses in the hospitality industry, e-commerce businesses, software companies, travel companies, etc. So if your company is a US-based company with markets in the EU and with local web content, it’s time for you to review your web operations.

Breach Notifications and Consent

The GDPR 72-hour breach notification rule is one that will surely call for IT departments to improve their protocols, software and everything else needed to keep within the 72-hour grace period. To better understand the 72-hour breach notification, here’s an excerpt from Article 33 of the GDPR.

1 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

2 Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. 

Another to take note of is the requirement of explicit consent.

This only means that explicit consumer consent is required when US-based companies require for consumers to fill in forms. As required by GDPR, consent must be “freely given, specific, informed and unambiguous.”

This means that for every step of the customer journey, when personal information is asked such as filling in customer forms, entering financial transactions, etc. your business will be required to obtain explicit permission from the consumer before a step is processed.

Once information has been successfully submitted by the consumer, it is the US-based companies’ responsibility to protect all information under the GDPR.

To enforce these regulations, the GDPR imposes hefty fines. For example, not reporting a breach to a regulator with the 72-hour period will result to a first tier fine. This fine constitutes the business’ 2% global revenue.

So, if you are a US company with a strong presence over the internet, it’s important to read through the GDPR and pay attention to the changes you should apply to your business over the internet.