On 25 May General Data Protection Regulations (GDPR) came into force across Europe. This will also have implications for US companies. GDPR is a set of regulations that requires companies to be, among other things clearer about
- Who within the company is responsible for data that has been collected
- Getting consent from users to collect their data
- What they intend on using the data for
- Giving users the ability to have data removed
- Notifying the Regulator if a breach has occurred
- How data will be stored
How are US companies affected by GDPR?
While the regulation is enforced by the European Union and not the United States, any US company with operations resident in the EU must comply.
Equally, any US company that offers goods or services, or monitors the behaviour of people within the EU must comply even if their company’s physical location is outside of the EU.
A good example of the implications of GDPR was the decision of some US media companies to block European visitors to their websites rather than flout the new GDPR regulations.
The Los Angeles Times and the Chicago Tribune are just two examples of online media outlets that are telling visitors that, due to GDPR we can’t show you anything right now.
While they are not gathering new data, they will have old data that predates 25 May, so these companies will still need to comply.
What happens if a US company breaches GDPR?
The fines for GDPR negligence look steep. The maximum fine is 4% of worldwide revenue or €20 million, whichever sum is greater.
However, the EU Regulator did not start a cash grab on 26 May.
The regulations are extensive and complicated in places. The consensus among GDPR commentators is that the EU Regulator will exercise some leniency initially and primarily be looking for companies that have made no efforts in planning or execution to deal with GDPR.
If your company can demonstrate an effort was made and there is willingness to improve compliance, you could save yourself some dollars and heartache.
What are the main things I need to consider for GDPR?
Gaining and maintaining GDPR compliance will be an ongoing process. There is no simple ‘check box’ solution. This article by the tech news website ZD Net will give a good foundation as to what is required.
Here are three principles that you can apply to begin your journey to GDPR compliance.
1. Data Minimisation
Part of GDPR is making sure companies are not stockpiling data. Companies can only store the data that they need.
2. Data Upkeep
Companies are required to keep their user data up to date. Older data must be destroyed if newer updated information is available.
3. Historical Significance
Companies cannot retain data on a user that is no longer availing of their services.
Let Smart MBS help with GDPR compliance
At Smart MBS we have both knowledge and relationships with regulators that can help smooth your compliance journey.
If you’d like to contact us to find out more about GDPR or anything related to expanding your business, please fill in the short form below.
While you’re waiting for the call back, why not download our eBook for more information on Smart MBS?