AMERICAS BUSINESS
The Far-Reaching Consequences of GDPR In the run-up to the General Data Protection Regulation (GDPR), which came in to effect on May 25, 2018, most businesses failed to recognise that GDPR’s reach spreads well beyond the borders of the EU.1 Most multinational companies, and of course EU-based companies that deal with EU customer data need to comply with the legislation. However, during the lengthy and somewhat confusing countdown, the majority of businesses only considered GDPR’s implications within EU boundaries; assuming that the legislation was something that US companies need not worry about. This is simply not the case and failing to recognise this can severely hinder the chances of businesses operating successfully across international markets.
Unbundling GDPR The European Union introduced GDPR to safeguard its citizens amidst growing concerns around the safety of personal data. GDPR aims to protect the ‘personal data’ of EU citizens, by giving greater rights to individuals over how their data is used
66 | Issue 12
by institutions. The definition of personal data has been expanded beyond an individual’s name and address to include all other types of data including IP addresses, system IDs and cookies. Even the account mnemonics more specific to financial companies are now included. In a nutshell, the legislation also aims to standardise data privacy laws and mechanisms across industries, regardless of the nature or type of operations.
Transatlantic Reach For businesses that operate from outside the EU, the questions to consider are the extent of GDPR’s impact, as well as how we can distinguish businesses that do need to comply from those that don’t. The answer to that simply comes down to the reach of GDPR. While GDPR is the most significant change to European data privacy and security we’ve seen in over 20 years, it’s also a major change to US data privacy security. A large percentage of US-based companies will therefore fall well within GDPR’s reach, one way or another. Any business that operates
in the EU or with people in the EU (even if the company itself is not located there) may be subject to GDPR compliance. Additionally, if a US business uses data collected from people in EU member states for the purpose of targeted advertising, they are subject to GDPR. Similarly, if a US business conducts e-commerce and accepts money in the currency of an EU member state, they are also subject to GDPR.
Compliance in Practice For a US company to be compliant, at the very least, the company’s website should have a consent check box where the default acceptance value is null (not defaulted to being checked). The key here lies in the territorial aspect of GDPR, which is different from the 1995 EU Data Protection Directive in that if the US company has collected data on individuals while they are located in the EU then they must comply with GDPR. Conversely, if an EU citizen is in the US and uses a website which is designed to be in the US, then GDPR does not apply.
