GDPR Affects U.S. Companies
Even though the GDPR is a European standard, there are GDPR requirements for U.S. companies. American companies who are transferring personal data between the U.S. and Europe are included in the GDPR compliance requirements even though they may be headquartered physically outside the EU.
The first step towards full GDPR compliance is to establish if the GDPR requirements apply to a certain U.S. company. Regardless of company size measured in staff or revenue, if the company offers goods and/or services to EU/EEA residents or collects, processes or supervises the personal data belonging to users within the EU/EEA, the GDPR is applicable to it. Names, contact information, and details such as IP addresses, locations, etc. are considered personal data and covered by the GDPR and you need to demonstrate a lawful basis to process it.
The GPDPR compliance requirements are also adapted to various company characteristics such as staff size. Businesses employing fewer than 250 employees do not require a record for data-processing activities. This law only applies if the processing of information is harmless to the users, no distinct divisions of data are being handled, and if the processing is complying with Art. 30 GDPR. Therefore, most companies that process distinct personal data must provide records of their data processing endeavors.
Data subject rights and crucial tools in complying with the GDPR requirements for U.S. companies include Data Breach Notifications which fall under the user’s right to be informed and require companies to maintain transparent data collections and consent, or “opt-in”. These act in accordance with the Right of Access (Art. which concludes that the user must be allowed to view any collected data within one month for free. Other requirements of GDPR include conducting Data Protection Impact Assessments (DPIA), Privacy by Design and Default, Strict Consent Conditions, Data Subject Access Requests (DSAR), and appointment of a Data Protection Officer (DPO).
The GDPR has multiple tools which allow it to enforce its policy in foreign countries. If a company holds EU/EEA assets or presence, such as bank accounts, property, and servers, they can be seized for GDPR defiance. Alternatively, if they hold no physical occupancy in the EU/EEA region, GDPR compliance requirements demand a representative stationed within the EU/EEA precinct. Another strategy through which legal action can be taken is International law possibly through EU/EEA enforcement agencies.
GDPR Fines 2020
Data fines will also play a huge role in complying with this European law in 2020. They can be as expensive as 20 million euros or four percent of the company’s annual global revenue, whichever is more excessive.
For example, in a significant ruling, Google was fined €50 million by France’s GDPR enforcement agency, the Commission nationale de l’informatique et des libertés (CNIL), for processing EU/EEA user’s information without their consent and essentially disregarding GDPR requirements.
To review, GDPR requirements apply to most U.S.-based companies who have European customers especially if they supply consumer goods and services, track personal data, or share personal data with third parties. Noncompliance with the GDPR can potentially result in harsh and expensive consequences for American companies. Therefore, corporations that have any connection with European users should ensure that they receive reliable assistance in avoiding any incompliance with the GDPR requirements.
Companies are required to appoint a Data Protection Officer. The question is which companies are affected? When do you need to do this?Opt In vs. Opt Out
There is changing viewpoint over the practices of opt-in and opt-out email marketing. Here we explain the difference between opt-in & opt-out and what is the preferred approach today.How Does a Consent Management Platform Help With Data Privacy?
A comprehensive privacy management software platform for managing CCPA compliance includes core elements such as consent manager, cookie banner, and policy notice generators.