How the GDPR Set a New Standard for Data Privacy and Protection in the EU and America

GDPR Compliance is Not Just an EU Issue—It’s American, Too

You’ve probably heard the letters “GDPR” a couple of times in the last few years. “What do they mean, and why do I have to care?” may have been your response.

The GDPR stands for “General Data Protection Regulation.” It’s the European Union data privacy and protection regime that went into effect in May of 2018. It is designed to provide people located in the European Union with greater protection of their personal data, and it seeks to punish companies that fail to comply with the rules. It may seem like an EU issue, but GDPR compliance also affects American companies doing business in Europe. And, it has spurred discussions in the U.S. on data privacy. This article seeks to provide you with an overview of the GDPR and its impact.

How GDPR Compliance Applies Globally

Prior to the GDPR, the European Union (EU) already took its members’ personal data very seriously. The protection of personal data is actually codified in the EU Charter. This is very unlike the hodge-podge scheme of laws (mostly state) in the United States that seek to protect individual data.

But the GDPR applies globally. So, even though U.S. companies may not have had to abide by strict data privacy and protection laws in the U.S., they have to abide by the GDPR if they do business in Europe or collect any data from EU citizens, regardless of whether the data is stored outside the EU.

Beyond increasing the scope of data privacy and protection, the GDPR requires stricter conditions for consent. An organization’s request for consent must be given in an intelligible and easily accessible form. More importantly, it must be easy to withdraw consent. Gone are the days when websites could throw thousands of pages of privacy policy up on the screen and ask for your consent (which most of us gave blindly).

The GDPR also requires mandatory data breach notifications within 72 hours of the breach. This seeks to solve the problem of large companies hiding their data breaches. Wyndham Hotels and Ashley Madison would not be able to lose personal data to the dark web and keep their mouths shut anymore.

Under the GDPR, individual users also have the right to obtain their personal information free of charge. They can learn whether personal data was taken, for what purpose and where it is being held.

A concept that may seem very foreign (pun intended) to U.S.-based consumers is the “Right to Be Forgotten.” The GDPR entitles “data subjects” to request that the entity controlling their personal data erase all of the data, stop providing that data to third parties and, in some cases, go so far as to require third parties using the data to stop doing so.

What Does This Mean for Me?

That’s a lot of very foreign information for U.S.-based consumers, who have only recently begun learning the extent of how our personal data is shared. You might ask why you need to know or care about the GDPR. And, of course, the answer is money! The GDPR drastically increases penalties for non-compliance. We’re looking at you Facebook and Google!

But even as a small or mid-sized business owner, the GDPR may affect you too. Even if your business isn’t located in the EU, if it collects or tracks the personal data of any individuals located in the EU, you’re required to adhere to the data privacy regulations. For example, if people are able to access your website from the EU, you’ll need to follow this checklist—or risk heavy fines.

Under the GDPR, non-compliant companies face strict penalties, which may be up to 4% of the organization’s annual global revenue or €20 million, whichever is greater.. Yes, that says greater!

The GDPR solidified the EU’s belief that personal data is important and should be private and protected. By reaching beyond the bounds of the EU to enforce personal data regulations, jurisdictions like the United States have been forced to sit up and take notice of what the EU believes is a fundamental human right.

The GDPR’s Impact

Almost three years later, and it’s clear the EU is taking GDPR compliance seriously. For example, in 2019 Google was fined a €50 million penalty due to its failure to provide specific consent to users creating a Google account while setting up their Android phone. More recently, Amazon was just fined €35 million for tracking cookies without consent.

Additionally, clarifications have been made to the original GDPR. In fact, the European Data Protection Board has issued a variety of guidelines to help companies ensure GDPR compliance. These include guidelines on how companies disclose their collection, usage and sharing of data with users; clarifications on which companies the GDPR applies to; and guidelines for processing personal data.

For many companies, the GDPR has changed the way they do business and oversee their customers’ data privacy and protection, including how their sales team prospects or how they manage their marketing activities. They’ve had to review processes and forms to ensure they’re being compliant with opt-in rules. Even with something as simple as a newsletter, to ensure GDPR compliance, companies must be able to prove that a customer agreed to receive it. Companies have also had to take a hard look at how they handle their data, and ensure the proper security measures have been put into place to avoid a data breach.

What’s Next for Data Privacy and Protection Laws?

The GDPR has also spurred the rise of other data privacy laws in the U.S., like California’s recent Consumer Privacy Act (CCPA), which allows California citizens the right to see the information a company has on them, as well as the third parties that their data is shared with. It also gives them the right to sue a business directly if their personal information is exposed through a data breach due to a failure to use reasonable security measures.

In November 2020, California voters approved the California Privacy Rights Act (CPRA) as well, which provides California residents additional control over their personal information. The approval of the CPRA will likely trigger a new wave of data privacy and protection laws in other states, or perhaps even at the federal level. Indeed, several states including Nevada, New York, Texas and Washington are considering following California’s lead.

By forcing the U.S. to comply with these stricter data privacy and protection rules, the European Data Protection Board has started to inspire new, comprehensive privacy legislation. In fact, Gartner projects that by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations—a major improvement from the 10% in 2020.

Hopefully these regulations are put in place before Google, Facebook and Amazon sell our souls!

---

[Editor’s Note: To learn more about this and related topics, you may want to attend the following webinars: Data Privacy Compliance, Introduction to US Privacy and Data Security: Regulations and Requirements, Cyber Security & Data Privacy. This is an updated version of an article originally published on June 26, 2018.]

©All Rights Reserved. February, 2021.  DailyDAC^TM, LLC d/b/a/ Financial Poise^TM