The Impact of GDPR On USA Companies

The Global Data Protection Regulation (GDPR) is coming and it will affect USA Based Businesses as well.

Starting May 25, 2018, the most talked about Data Protection Law, The General Data Protection Regulation, will bring the most significant change to European data security. It is the greatest data protection revolution in the past 20 years.

And, of course, an EU-based organization or MNC that does business in the EU has to comply with the GDPR.

But what about the U.S. enterprises that don’t have any direct business operations in any of the EU member countries. They must have no concern, right?

Well, that is not true!

A USA-based company that exists on the internet and markets their products over the web are also affected.

What is GDPR?

GDPR is a directive in EU law on data protection and privacy for all entities within the EU. It is proposed to offer guidelines to businesses for shielding customer data and offer extra protection for consumers when it comes to recognizing information. The export of personal data outside the EU is addressed. The GDPR mainly aims to empower citizens and residents over their personal data, and provides efficiency and smooth-running of the regulatory environment for international business by amalgamating the regulation within the EU.

Data Types Protection under the GDPR

The new directive on data protection will make businesses take that additional leap to protect consumer data. This data comprises information that can be used in an individual’s identification.

This regulation protects information like:

  • Name

  • Photo

  • Email addresses

  • Bank details

  • IP addresses

  • Social media posts

  • DNA data

  • Cookies collected from a digital visit

  • Medical information

Fundamentally, if it can be used to recognize a person, so it has to be protected.

The importance of GDPR for US businesses

A business falls under the purview of the GDPR, if it has business operations with any citizens of the EU. This also comprises any businesses that function in the Cloud. The GDPR shields any nation of the EU, irrespective of where that customer does business or where the company is actually located. For instance, if a business is based in the United States but it sells to European citizens on any level, then it must comply with GDPR as well as PCI standards.

As per the EU GDPR website, any company which does business with a citizen of the EU has to be equipped for deviations concerning:

Approach To The Data Transparency:

Companies must be able to provide information to their customers which explains the whereabouts of their personal data, like where it is being processed and what the purpose is. This information must be provided to customers in a digital format and free of cost.

Supervising The Data Protection Procedures:

Businesses involved profoundly in dealing with a large number of customer data or those that deal with a special type of data will have to employ a Data Protection Officer (DPO) to administer all data protection policies and practices.

Data Portability:

This entails that businesses provide consumers with their data and allow them to give it to another company.

Gaining the Consumer Consent:

Consumer consent must be provided before any identifying information can be used or treated in any way. Any form demanding approval must be easily understandable and easy to locate. The new data protection regulations will need that permission for customer information be written in a comprehensible language, i.e., there should be no jargon or complication with legal terminology. And it should be easy for customers to withdraw consent at any point in time.

The Data Status After The Transaction Process:

The GDPR allows citizens the right to “be forgotten.” This means that businesses need to delete any data at the request of customers that is not important to the initial processing purpose.

Consumer Privacy:

The new GDPR insists that privacy measures be combined into the design of the infrastructure. Some businesses will be required to refit existing technology to meet the privacy mandates.

Handling Data Breaches:

Businesses will have 72 hours to inform customers of a data breach under the GDPR.

Fine & Penalty:

A business found to be in violation can be fined for up to 4 percent of “annual global turnover” or 20 million Euros, whichever amount is the highest. For minor offenses, a business may be fined less.

While the new GDPR will offer long-drawn-out protections for consumers, it may demand that we make necessary changes to our processes and systems to comply.

Royal Cyber

Contact us to find out how we can help you get ready for operating business under the GDPR.

We can help in:
  • Presenting a Single View of the Customer
  • Deactivating all default opt-ins (As Customers will need to give explicit consent now)
  • Staff Training
  • Overall compliance with GDPR

We can provide help related to GDPR for the following eCommerce platforms

by Debdattaa

Leave a Reply