The EU member-states may have spent a good four years drafting and negotiating its text, but the General Data Protection Regulation (GDPR, for short) is finally here – or rather, almost here. Adopted in April 2016, GDPR is set to be applied and thus be enforceable in May 2018. Contrary to what some may believe, this news is important for US-based businesses too, since the GDPR will have a direct impact on many of them. So what exactly is it?
The New General Data Protection Regulation
The main purpose of the GDPR was to replace the largely obsolete Directive 95/46/EC from 1995 and review and consolidate the EU privacy framework to address the challenges posed by a data-driven world and its increased potential for privacy breaches. It was drafted with the aim of safeguarding EU citizens’ data and privacy rights, but was also heralded as a way to significantly boost the EU Single Market economy and make Europe fit. for the digital age.
One of the objectives put forward by the GDPR is establishing the concept of personal data protection as a fundamental human right, which effectively means that any individual has the right to access, correct, erase, or port their personal data, subject to certain requirements. Furthermore, it imposes obligations for organizations and companies storing, handling and processing personal data – non-compliance can result in fines reaching up to €20,000,000, or 4% of an organization’s total global profit. The set of rules encompassed in the GDPR will strive to ensure that the application of data protection safeguards is harmonized across the EU, which will arguably contribute to the increased legitimate flow of personal data within and beyond the EU and European Economic Area (EEA).
How Will it Affect Businesses in the USA?
In today’s globalized economy, it is obvious that a large part of this data handling occurs across borders. That is why one of the most significant aspects of the GDPR is its territorial application. Article 3 of the Regulation clearly extends this application beyond EU borders. In fact, the GDPR applies both to data processing by an EU-based entity, when that processing takes place abroad (thus encompassing data handling by branches of EU companies based elsewhere), as well as to data processing outside the EU in relation to provision of goods or services (even without payment!) that is directed to consumers based within the EU, or even in relation to behavior monitoring, as long as this behavior takes place on EU soil.
As it seems, the GDPR states unequivocally that it will encompass US-based business activities that handle EU-sourced personal data, so no one can claim that we have not been warned! The trade relationship between the EU and US is undoubtedly of utmost importance and much of this trade involves transfer and handling of personal data. In the first four months of 2017 alone, the trade in goods (not counting trade in services) between the two partners reached more than $230 million.
Keeping those figures in mind, it’s not hard to realize that the implications of this new GDPR scheme will be far-reaching. And with less than one year left to prepare, US companies need to take action quickly.