If you are based in the United States, but your customers include residents of the European Union, you need to know about the General Data Protection Regulation (GDPR). The regulation came into force on 25 May 2018, setting in motion a new framework designed to give EU citizens greater control over their data and how that data is put to use.
For businesses, the GDPR brings in some important new obligations and requirements to ensure that EU citizens’ data rights are safeguarded. And it also includes a wide-reaching territorial clause – so whether your business is based in Austin or Amsterdam, the rules still apply.
Here’s a closer look at what the GDPR means for American firms and the steps you should take to stay on the right side of the law.
What the GDPR means for US businesses
Whatever your industry sector, it’s likely that you are already operating according to one or more data protection frameworks – (e.g. HIPAA for healthcare, GLB for financials and various state-level laws). So first off, some good news. Assuming that you already follow best practice on data protection, the GDPR probably isn’t going to demand a complete overall of your existing processes and practices.
That said, it would be wrong to assume that this new batch of EU rules is “basically the same” as the US model. Here are some of the key features of GDPR and how they differ to the American environment.
The definition of “personal data”
The GDPR is concerned with personal data and compared to many other jurisdictions, this is given a very wide definition. It includes any information that could identify a natural person, either in isolation or with other identifying information, directly or indirectly.
Significantly, it covers Web data such as cookies and location tags (so US-based e-commerce businesses should take note). B2B sellers should be aware that it also includes work emails where it’s possible to identify the recipient (e.g. Johnsmith@xcoltd).
Enhanced data rights
You won’t be able to charge an administration fee for responding to subject access rights under the GDPR. You should also read up on the new rules relating to seeking subject consent, the right to be forgotten and data portability.