From the 25rh of May, 2018, the laws governing data storage and personal privacy in the European Union will undergo a comprehensive overhaul as the General Data Protection Regulation comes into force. For companies based in the EU, this deadline looms large on the horizon – the GDRP does, after all, represent the biggest change to data protection regulation in 20 years.
Given that the GDPR will have such a wide-ranging impact, European businesses have been gearing up for compliance for more than two years – or at least they should have been. What is less well-known, however, is that the new regulations have a much greater scope than previous data laws. For companies based outside of the EU, particularly those in the US, this means that GDPR compliance cannot be ignored.
Any US-based businesses that think that the GDPR does not concern them could be in for a huge shock. GDPR affects any organisation that collects or processes data from EU citizens, regardless of where that organisation is based. This means that if a US-based firm has a web presence and targets marketing at individuals located within the EU, then GDPR compliance must be met.
Travel, software and e-commerce represent just some of the most likely sectors where US-based companies are going to engage with EU citizens on a regular basis. In fact, given that the EU and the United States have the largest bilateral trade and investment relationship in the world, there are likely to be thousands of American companies that come under the GDRP’s remit.
Another reason why US businesses should take note of the new ruling is that it introduces hefty fines for any organisation that fails to achieve compliance. Penalties for the worst offences could be as large as €20 million or four percent of annual global turnover, whichever figure is greater.
Fortunately, there are ways that US companies can achieve compliance with GDRP before the deadline. First of all, businesses should make sure that they are fully versed in the ruling and how it relates to their operations. Determine whether you are a data controller or processor and identify what information you currently collect from EU citizens. Conducting a comprehensive data audit is one way of gaining a clear overview of how your business currently collects, processes and stores information.
US businesses can also enlist the help of managed Service Providers, including those based in the EU, if they are not sure how GDPR relates to them. Many cloud service providers based in the European Union are now offering bespoke GDPR packages to their clients to ensure that they are ready for the May deadline. Others, like Sungard AS, can provide specialised services that will prepare you for a particular aspect of GDPR, such as disaster recovery.
On the surface, the compliance deadline for the General Data Protection Regulation is a daunting prospect. Processes may have to be checked and employees may need further training, but there is still time to achieve compliance. What’s more, US companies should not view the new regulations as a burden. Instead, organisations all over the world should use GDPR as an opportunity to improve their data security and efficiency, giving them an advantage over their competitors and allowing them to deliver better service to their customers.
By Matthew Walker-Jones