How the GDPR May Affect Your U.S.-Based Business

Security is and has been top of mind in the eyes of businesses and consumers around the world and in the U.S. Recent data breaches have warranted more immediate actions by several companies to stem the tide of continual unauthorized access to consumer information. With that in mind, the European Union has made great strides in protecting personal data and behavioral information with the enactment of the “General Data Protection Regulation” (GDPR).

While the GDPR went into effect nearly a year ago or so, it will become mandatory on May 25, 2018, and will bring about the greatest change to European data security in 20 years. Of course, an EU-based company or multinational corporation that does business in the EU is, is well on their way to complying with the GDPR. But what about U.S. companies that have no direct business operations in any one of the 28-member states of the European Union? They have nothing to worry about, right?

Not true.

Any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web will have some homework to do and will possibly need to make some updates to their website.

Territorial Scope

A very important change in the GDPR that hasn’t received the attention it deserves has to do with the geographic scope of this new law.

To quickly summarize: Article 3 of the GDPR reads that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. There are two points that should be clarified. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. The GDPR would not apply for EU citizens outside the EU when the data is collected. The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data” — EU-speak for what we in the U.S. call Personally Identifiable Information (PII) — as part of a marketing survey, then the data would have to be protected per the GDPR.

To make this simpler, if you are marketing or doing business with Great Britain or any country in the EU, you fall within the scope of the GDPR and will need to make some changes to your website to comply with the new regulations.

The implementation of this EU regulation and it’s far-reaching effects for businesses on the WEB will be confusing for most companies to migrate through. The key is to find a company that can explain and prepare you for this new security regulation. It is better to be proactive rather than reactive when determining how it might affect your company. Call, email, or stop by Streng Agency as soon as you can so we can prepare you for this event.