If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
On May 25, 2018, the European Union’s General Data Protection Regulation, or GDPR, went into effect. If you are an owner or senior executive of a business based in the United States, you may think this new regulation has no impact on your organization. You would be wrong.
As we approach the first anniversary of GDPR, it’s time for U.S. business owners to think seriously about GDPR compliance. If your company has a website or social media presence and an international customer base, you may be affected. The costs of noncompliance can be potentially devastating for a small business — fines of 4% of annual global turnover or up to €20 million, whichever is greater.
The main purpose of the regulations is to protect EU citizens from data-breach-related privacy violations. GDPR is an update to a similar regulation implemented in 1995. Due to the vast changes to the online landscape since that time, the EU decided to give the regulation a significant update.
Informed consent: GDPR applies strict rules for processing data based on consent. The consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language.
Right to access and right to data portability: Individuals have the right to access their personal data, free of charge. When the processing is based on consent or a contract, the individual can also ask for you to return their personal data to them or transmit it to another company.
Right to correct and right to object: If an individual believes that their personal data is incorrect, incomplete or inaccurate, they have the right to have it rectified or completed without undue delay. An individual may also object, at any time, to the processing of their personal data for a particular use.
Right to erasure (right to be forgotten): In some circumstances, an individual can ask the data controller to erase their personal data.
Automated decision-making and profiling: With some exceptions, individuals have the right not to be subject to a decision that is based solely on automated processing, such as a credit decision.
How U.S. Business Are Impacted
The GDPR explicitly states that the regulation will apply to any company, business or organization that is not located anywhere within the EU, yet is processing information from citizens of the EU. This includes:
• Those who offer goods or services to EU citizens. Note that GDPR still applies whether or not currency is exchanged for a good or service.
• Monitoring of the behavior of EU citizens. Even marketing surveys of EU citizens in the EU at the time of taking a survey are covered by GDPR.
If a non-EU company is engaging in the above activities, they must obtain a company representative in the EU.
Protections For U.S.-Based Businesses
The good news is that U.S.-based businesses that are not seeking to collect data or perform a transaction with a citizen of the EU are likely exempt. GDPR will not apply if an EU citizen searching online for a product or service stumbles upon a U.S.-based company’s website. Why? Because the U.S.-based company did not explicitly target an EU citizen.
However, if this same situation occurs and the U.S.-based business offers website content in one of the official languages of the EU (which includes English), and acknowledges EU customers in some way, then the company absolutely must follow GDPR.
Industries Most Affected By The GDPR Outside Of The EU
A majority of companies based in the United States may not have to be concerned about GDPR. However, the following industries are the most commonly affected:
• Software services
Steps A U.S.-Based Business Should Take For Compliance
If your company has international customers or obtains information from citizens of the EU, now or in the future, it’s advisable to ensure your online forms are GDPR-compliant. For example, you must obtain consent from any user who fills out a form on your website and make it very clear and explicit how you are utilizing their data. Consent must be “freely given, specific, informed and unambiguous.” Terms and conditions and privacy policies must be prominently displayed, not hidden in small print or behind a link.
The Future Of Privacy
New technology is responding to demand for greater control over information shared and stored online and the regulatory changes and recordkeeping requirements wrought by GDPR. Other companies are leveraging blockchain technology to further privacy. Accenture and Microsoft recently announced the development of a blockchain-based digital ID platform that would allow up to 1.1 billion users to secure a digital identity.
A consortium of companies, including IBM, Danube Tech, ATB Financial and others joined together to create the international nonprofit Sovrin Foundation, which “uses the power of a hybrid distributed ledger as a fast, private and secure framework for providing every person, organization and connected device a permanent identity with which to transact online and operate securely in everyday life.”
Jayen Madia, managing director, head of risk assets at AXIS Capital explains, “[I]t seems reasonable to assume potentially broader implications of the new data privacy regulations for the world’s largest data powerhouses — companies like Google and even countries like China, as data privacy is inextricably linked to data dominance, cross-border trade, and national security, big data should expect to see more in the way of future, global regulation.”
On January 21, 2019, France’s privacy regulator, the National Data Protection Commission, imposed a financial penalty of 50 Million euros against Google under GDPR for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” It was an expensive reminder of the cost of noncompliance.
Although some U.S. businesses clearly fall outside of GDPR, companies that have relationships with EU residents may find themselves subject to GDPR and should seek counsel from someone well-versed in the new regulations.
The original article (and image) was originally posted here: https://www.forbes.com/sites/forbesnycouncil/2019/03/26/what-us-business-owners-need-to-know-about-gdpr/#40446d2d7aff