GDPR and What it Means for U.S. Companies
GDPR is the European Union’s new data protection law. It stands for the General Data Protection Regulation and it goes into effect May 25. While this is a European law, U.S. companies are still subject to it, as are any organizations that possess private data on European Union citizens. It’s a sweeping update to existing data privacy laws that could have wide reaching implications.
The United States has yet to pass a truly comprehensive data privacy standard. Individual states have passed varying data privacy laws, which make compliance confusing and very inconsistent. GDPR stands to set the standard for broad reaching regulation that standardizes compliance and enforcement across borders, within the European Union and across the globe.
This past week, the Computing Technology Industry Association, CompTIA, released a survey on “The State of GDPR Preparedness in the U.S.” Some of the findings are scary. More than half of U.S. companies say they are still trying to determine whether or not GDPR is applicable to them. Well if they have any personal information on a citizen of the European Union, it does. So, for example, if you have just one employee, who holds dual citizenship with a country in the European Union, GDPR applies. If a single citizen of the European Union has purchased something from your company, requiring them to submit payment and shipping information to your company, GDPR applies to your company. You get the idea.
In addition to not knowing if GDPR applies to their business, nearly 65 percent of companies are unaware of the substantial fine structure associated with violations of GDPR. This could lead to significant financial exposure for companies that have not familiarized themselves with GDPR and its applicability to their business.
Those that have looking into GDPR’s impact on their business may think about whether or not they want to continue doing business with the European Union. It’s too soon to tell if the regulation will turn out to hamper business between companies within and outside of the European Union. Of the organizations surveyed, one-third indicate they have no plans to change their business practices with the European Union and its citizens and one-third say it may. The remaining one-third is not sure.
Some of the unique provisions of GDPR that may be difficult for businesses to comply with are the requirements for data transparency and the right to be forgotten, among others. Data transparency requires that a person be able to review any personal information that a company stores about them. The company must also provide a way for an individual to correct any inaccuracies in that stored information. Even more daunting, perhaps, is the right to be forgotten. To be in compliance, companies must be able to prove that they have completely erased personal information on any individual who wants the company to do so.
We won’t know for sure, what real implications GDPR will have for U.S. companies until one gets caught in violation. Once that first case comes to light, we will know how successful this law will be and whether it will become a model that others will follow. Until then, ambiguity, confusion and the threat of significant fines seem to be how GDPR is being perceived in the U.S.