GDPR Compliance: What Is It & How Does It Affect US-Based Businesses?
GDPR, or the General Data Protection Regulation is a European Union law put into place in 2018 that aims to protect the personally identifiable information of EU citizens. This law aims to protect EU citizens through implementing a regulatory framework for how organizations maintain and transmit the sensitive data of any EU citizen they work with. Although GDPR compliance is aimed to give EU citizens control of their own data, it has profound far-reaching implications for organizations all around the world including the United States.
GDPR applies to any and all companies that collect data on citizens in the European Union. So, before disregarding GDPR compliance as a regulation that only applies to organizations within the EU, it’s important to understand the true reach of GDPR and its implications on businesses operating outside of the EU.
Why Do US Organizations Need To Consider GDPR Compliance?
Although GDPR law has been put into place to safeguard the personally identifiable information of EU citizens, it’s reach extends to organizations anywhere in the world, even in the US. So for example, if an EU citizen is temporarily traveling to the US and purchases merchandise from a US business, that US-based business by GDPR law needs to meet the regulatory requirements. Here, the US-based business would have to adhere to the GDPR regulatory requirements to remain GDPR compliant, otherwise they would be potentially exposing their business to massive fines. Unfortunately, many organizations do not understand or do not care to take the steps to become GDPR compliant. One recent survey conducted by GDPR found that millions of small businesses aren’t GDPR compliant.
What Do Businesses Need to Do to Maintain GDPR Compliance?
The GDPR framework states that companies must provide a “reasonable” level of protection. Now, before assuming you’ve checked this box, it’s important to understand that this vagueness leaves a level of interpretation by GDPR lawmakers adding risk to your organization. Reason being is in a GDPR compliance failure, it gives the GDPR governing body a lot of flexibility in how they assess your organization’s attempt to provide a “reasonable” level of protection.
Through GDPR’s website companies can find a GDPR compliance checklist that can help them better assess the steps they need to take to become GDPR compliant.
Here’s a brief breakdown:
- Conduct an information audit for EU personal data
- Inform your customers why you’re processing their data
- Assess your data processing activities and improve protection
- Make sure you have a data processing agreement with your vendors
- Appoint a data protection officer (if necessary)
- Designate a representative in the European Union
- Know what to do if there is a data breach
- Comply with cross-border transfer laws (if applicable)
What About The Right To be Forgotten?
The right to be forgotten clause or right to erasure gives the data owner the right to request their data be deleted from an organization. This simple addition to GDPR has profound implications for organizations storing data, as many organizations don’t have the proper tools or strategies in place to field these requests.
Challenges with the right to be forgotten request:
- Organizations often lose track of a client’s personally identifiable information through backing up to multiple locations, off-sitting to the cloud or data-warehousing
- Organizations don’t have the processes and procedures in place to field right to be forgotten requests from data owners.
- Organizations are putting the compliance safety in the hands of a DBA or customer services representative causing a single point of failure scenario.
Reversible masking of tokens is surprisingly becoming one of the primary methods that organizations can use today to give the control of the data back to the data owner.
When Does the Right to be Forgotten Apply?
There are also some considerations when the right to be forgotten applies and when it does not. Straight from GDPR’s website, below is a list of scenarios with the right to be forgotten does apply to an organization.
- The personal data is no longer necessary for the purpose an organization originally collected or processed it.
- An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.
- An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.
- An organization is processing personal data for direct marketing purposes and the individual objects to this processing.
- An organization processed an individual’s personal data unlawfully.
- An organization must erase personal data in order to comply with a legal ruling or obligation.
- An organization has processed a child’s personal data to offer their information society services.
What Happens if an Organization Neglects to Maintain GDPR Compliance?
The associated fines with GDPR compliance and the associated GDPR fines is no laughing matter. GDPR fines break into two primary categories based on severity of the violation.
The less severe infringements:
- result in a fine of up to $20 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The more severe infringements:
- These types of infringements could result in a fine of up to $40 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
To learn more about the specific infringements that cause an organization to sustain GRPD fines, reference GDPR’s website on compliance fines.
As you continue on your journey to compliance and healthy business practices for your organization, remember to stay up-to-date with GDPR as new initiatives, and interpretations to the regulatory framework evolve. If you’d like to learn more about protecting your organization in regards to GDPR compliance, check out our write up GDPR: How to Efficiently and Effectively Secure Personal Information.