Blog
General Data Protection Regulation (GDPR) and US Companies
What is GDPR?
The General Data Protection Regulation better known as GDPR is Europe’s new framework for data protection laws. These new privacy and security laws have been designed to give European Union (EU) citizens more control over their data. GDPR modernizes laws and obligations across Europe in this internet-connected age. The GDPR further defines the protection of personal data as a fundamental right.
Who does the GDPR protect? It protects any natural person that resides in the EU.
What data does GDPR protect? GDPR protects Personal Data as well as Sensitive Personal Data. Personal data Is anything that allows a natural person to be identified. This may be any of the following:
- Names
- Addresses
- Birth dates
- IP addresses
- Email addresses
- Bank details
- Medical information
- Automated Personal Data
- Pseudonymized data
GDPR considers Sensitive Personal Data as being in special categories. These include:
- Trade Union membership
- Religious beliefs
- Political opinions
- Racial information
- Sexual Orientation
Key Changes organizations need to keep in mind:
- Privacy-by-design – data protection must be built into your business processes and systems from the start and provided by default
- Data Retention – Personal data should be kept only as long as it is necessary. It must be securely destroyed
- Right to be forgotten – Users can ask for their data to be deleted. They may also ask to have their data transferred to a third party.
- Mandatory breach notification – Any breaches must be reported to Supervisory Authorities within 72 hours.
- Penalties for non-compliance – up to 20,000,000 Euros ($23,138,200) or 4% of the company’s annual global turnover whichever is greater.
Does the GDPR apply to US Companies?
The simple answer is yes. The internet is border-less. Data moves across traditional national borders with ease. GDPR applies to any company that offers goods or services to customers or businesses that reside in the European Union (EU). If the US company controls or processes data, of any person or business in the EU, GDPR applies.
A Controller is an entity that decides the purpose and manner that personal data is used or will be used. If your company collects personal data of any person or business in the EU, you are considered a Controller.
A Processor is the person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
GDPR Requirements for US Companies
- Ensure data is only collected when legal
- Obtain consent before data is collected, stored or processed
- Obtain consent from parents or legal guardians before children’s data is collected or processed
- Implement controls to ensure Confidentiality
- Train employees on the correct handling of personal data.
- Ensure EU citizens’ right to be forgotten can be honored and that it is possible to permanently erase all collected data.
- Ensure EU citizens are informed about how their data will be collected and used
- Make sure across border data transfers are GDPR compliant
- Implement data breach notification policies
- It may also be necessary for organizations to appoint a Data Protection Officer
What Do US Companies Need to Do Now to Ensure Compliance with GDPR?
- Determine what type of data you collect and or process
- Determine if you need a Data Protection Officer
- Develop consent forms
- Ensure you can detect, respond and report data breaches
- Make sure your Privacy Practices meet GDPR standards
- Make sure any business associates and subcontractors are aware of GDPR Requirements
- Check your data retention policy, is it GDPR compliant?
As of 25 May 2018, all organizations are expected to be compliant with GDPR.
If you are unsure how GDPR affects your business or don’t know where to start with GDPR compliance, it is strongly advisable to seek advice from compliance experts. Beringer Technology Group is always here to provide expert knowledge on topics like these. Contact us with any questions you may have.
Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution. We also provide expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing and Unified Communication Systems.