GDPR and North American organizations

  • 08 Jun 2018
  • Mark

Having spoken to many industry stake holders at the events I attended to recently (DRJ Spring world and RIMS in Texas) the hot topic is certainly GDPR and how American organizations can comply with the new regulations.

The EU's General Data Protection Regulation will bring about the greatest change to European data security in 20 years. If you’ve only been following the headlines, you’re probably aware of the “right to be forgotten,” 72-hour breach reporting, stronger consumer consent and high fines.

Of course, an EU-based company or multinational corporation that does business in the EU is, we hope, well on the way to complying with the GDPR. But what about U.S. companies that have no direct business operations in any one of the 28 member states of the European Union. They have nothing to worry about, right?

Not true.

Any U.S. company that has a web presence (and who doesn’t?) and markets their products over the web will have some homework to do.

A very important change in the GDPR that hasn’t received the attention it deserves has do with the geographic scope of this new law.

To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.

There are still questions about how the EU will enforce these actions against U.S. and other multinational companies doing business over the Web. The EU is serious about a uniform data and privacy law for its market and has already changed the Web practices of major U.S. companies.

U.S. companies, especially those with a strong Web presence, should be paying attention and changing practices now and not waiting to become a headline two years down the road.

About the author

Mark Shatliff

Mark is the Business Development Manager for the BCI based in the UK. He regularly travels to the USA and Canada and has responsibility for BCI business development in that area.