4/25/2018 10:25:00 AM
How US companies can stay GDPR compliant
The EU's General Data Protection Regulation (GDPR) coming into effect on May 25th has many companies rapidly preparing to be in compliance with this new law.
Even though the regulation is designed to protect the data of EU citizens, organizations worldwide are taking notice as data security and privacy protection are at the forefront of today’s global economy.
US companies with a strong web presence, or those conducting transactions over the Internet, should be aware of GDPR and strategize a course of action to adhere to the regulation.
What Is GDPR?
GDPR is designed to protect EU citizens’ personal information while reshaping the way organizations approach data privacy.
It governs the conditions under which corporations use consumers’ personal information.
Clear and plain language needs to be used to obtain consent for the use of personal data, and organizations have to make withdrawing consent just as easy as giving it.
Companies will need to adhere to the data subject rights under GDPR, which include breach notification, right to access, right to be forgotten, data portability, privacy by design, and the appointment of data protection officers.
How US Companies Are Affected by GDPR
You may wonder, “Is my US-based company affected by GDPR?”
The answer is “very likely,” but do your due diligence to find out if the extended territorial scope of this new law will directly affect your organization.
GDPR’s extended jurisdiction applies to all companies that process the personal data of anyone residing in the EU, regardless of the business’s geographic location.
There are some nuances as to whether a person who lives in an EU country is automatically protected by GDPR when they input their data into a US website.
Generic marketing isn’t covered under GDPR. For example, if you set up an English-language webpage written for U.S. consumers and someone from France signs up for the lead magnet, the user will not be covered under the law.
However, if you’re explicitly targeting an audience who lives in an EU country (e.g., using a landing page of a specific language), then you’re subjected to the regulation.
If you accept local currency or have a website that has a domain suffix associated with an EU country (e.g., .nl, .fr, etc.,) you’ll need to adhere to GDPR.
US companies in certain industries, such as hospitality, travel, software services, and eCommerce, should pay special attention to GDPR’s territorial scope.
In addition, any US business that has identified a market in any EU country and created localized web content should stay compliant with GDPR.
How US Companies Can Stay GDPR Compliant
US companies need to adjust their EU-directed online marketing forms and interactions such that explicit consumer consent is obtained prior to data submission.
GDPR requires that consent must be “freely given, specific, informed, and unambiguous.”
What does that mean?
Let’s say you have set up a squeeze page to collect email addresses targeting prospects in an EU country. To obtain consent, you can include a checkbox -- leaving it unchecked as default -- accompanied by clear language on what your company would do with the information.
If an EU citizen makes a purchase on your eCommerce website, you have to make sure that explicit permission is obtained for each type of processing you do with the personal data. E.g., you’d still need their explicit consent in order to send them email newsletters in the future.
Staying compliant with your data collection process is just the first step. Next comes the data protection aspect.
If your company is already following existing data protection rules, such as PCI DSS, ISO 27001, and NIST, you shouldn’t run into major issues.
However, you need to pay attention to the 72-hour breach notification rule that requires exposure of email addresses, personal data that contains sensitive information related to medical or financial information, or identifiers associated with children be reported to an EU regulator or “supervising authority” within 72 hours.
If the breach involves “high risk” to fundamental property and privacy rights, such as the exposure of credit card numbers or account passwords, you also have to notify the data subjects who are being affected.
Don’t Risk the Consequences of Non-Compliance
Companies that breach the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater), so it definitely pays to stay compliant.
US companies, especially those with a strong web presence or who conduct transactions over the Internet, need to do their due diligence and pay attention to changing practices so they can stay compliant to requirements that may affect how they do business in today’s global economy.