Why the GDPR Matters to U.S. Organizations
GDPR is a law that was passed in the EU and has had significant implications for all companies operating in Europe. However, this law has become the “gold standard” in places far beyond the EU as it is in many ways the new standard for data security and data privacy requirements for businesses of all kinds.
In this article, we want to discuss the impact that GDPR has had on US companies and why this legislation should matter to US organizations as well. A key to why US companies should care is because it is best practice & will help them be prepared should a large US data privacy law be passed.
What is the GDPR?
The General Data Protection Regulation (also known as GDPR) of the European Union is a data protection law that went into force in 2018. It establishes a single set of rules and authorities to safeguard the personal data of all EU individuals. The GDPR applies to any organization that maintains data of EU citizens and anybody inside the European Economic Area (EEA) free-trade zone, not only those headquartered in the EU.
The General Data Protection Regulation (GDPR) establishes a number of objects that handle, process, and safeguard data. These definitions will assist you in getting started with GDPR and related rules. The GDPR divides data parties into three categories: data subjects, controllers, and processors.
A "data subject" is someone whose information is being gathered. A "data controller" is an entity that decides the circumstances, purposes, and methods for processing the personal data of a data subject. A "data processor", on the other hand, is a company that handles personal data on behalf of the controller.
Controllers and processors can be situated anywhere in the world, including the United States, under the GDPR. This is a considerable departure from previous EU regulations.
What constitutes personal data is another crucial GDPR concept to comprehend. Only data that can be used to identify an individual is protected under GDPR. For example, age alone cannot be used to identify a person and is not covered by GDPR, but age plus name data may be used to identify a person.
Understanding the Key Features of the GDPR
The GDPR is primarily motivated by the EU's desire to create a unified digital market. The current GDPR requirements are guided by the concepts listed below, and all three of them apply to US organizations.
Proportionality
According to GDPR, the amount of personal data processed must be proportionate to the reason for which it was collected. This entails gathering as little data as possible and retaining it for no longer than is required to service the consumer.
Transparency
All data subjects have the right to be informed about the processing of their personal data and the purposes for which it is used. They must also expressly consent. (See Articles 7, 10, 11, and 12 for further information.) For most firms, GDPR represents a significant change. You must shift from an opt-out to an opt-in attitude when it comes to data processing.
Legitimate Purpose
For data collection to be legal, organizations must have a legitimate reason for doing so. The quantity of personal data needed to accomplish business tasks should be kept to a minimum. A gaming application, for example, does not require healthcare information, thus it should not be required to collect data that has no economic value.
What Does the GDPR Say About US Companies?
The GDPR does not directly apply to all US companies, but it does indirectly affect them.
The GDPR applies to the United States as well as all other nations throughout the world. Because Article 3 of the GDPR, which specifies the law's geographical reach, stipulates that it applies not just to firms in the EU, but also to organizations outside the EU that provide or monitor the data of EU citizens, this is the case.
If at least one of the following two requirements is satisfied, the GDPR applies to all US enterprises, regardless of revenue or employee size:
- Even if there are no business interactions, the company provides goods or services to EU residents.
- The company keeps track of how users behave within the European Union.
Names, contact information, device specifics such as IP addresses, biometric information, pictures, and videos are among the personal data and behavior covered by the GDPR.
The criteria for GDPR compliance differ based on the company's characteristics. Businesses with less than 250 workers, for example, are not required to keep track of their data-processing operations. However, as stated in Art. 30(5) of the GDPR, this criterion only applies if the processing does not represent a danger to the data subjects' rights and freedoms, if no special categories of data are processed, or if the processing is done very seldom.
Why Does the GDPR Matter?
Changes under GDPR are intended at shifting businesses away from a tick-box compliance approach to personal data protection and privacy, and toward a company-wide strategy to managing the data's lifetime.
To begin with, the GDPR covers a broader geographical area. It is not necessary to be based in Europe to qualify. GDPR will apply to any corporation that conducts business with EU citizens. Even if you provide a profit-free service, such as an app that is accessible to persons in the EU, if you collect digital information such as IP addresses or run cookies, you may be liable to GDPR.
There's also the matter of DPAs to consider. Data Protection Authorities (DPAs) would be able to impose even harsher fines for personal data breaches. GDPR has a three-tiered approach to penalties. For the most egregious infractions, such as failing to get adequate consumer consent to process data, the maximum penalty is 4% of annual global revenue, or €20 million. A fine of up to 2% of worldwide annual revenue would apply to less significant infringements, such as failure to inform of a breach. The highest punishment for violating the Data Protection Act in the UK is £500,000, and the greatest fine to date was £400,000, which was awarded to TalkTalk in 2016 for security flaws that allowed a cyber attacker to access consumer data "with ease."
GDPR compliance is particularly critical since technological and organizational safeguards to secure personal data will become essential, with the GDPR laying out examples of what is anticipated. These concerns include personal data hashing and encryption, the capacity to maintain confidentiality, integrity, and availability, and mechanisms for evaluating the success of security measures.
In addition, the scope of personal data has been broadened to include online identifiers like IP addresses and mobile device identities. Individuals' express agreement to the processing of personal data will be required, and firms will no longer be permitted to utilize extensive, unreadable terms and conditions. Individuals will also have new rights in terms of data processing, such as data erasure and data portability, which is the capacity to transfer data to a different controller.
How Has the GDPR Influenced Data Privacy Internationally?
The GDPR has influenced legislation all over the globe, including the country of Brazil's General Law for the Protection of Personal Data, China's planned Personal Data Protection Law, and India's proposed Personal Data Protection Bill, to mention a few. In the United States, California and Virginia have passed laws based on the GDPR, while other states, such as Washington, are still working on ideas.
In India, the GDPR served as a model for the planned PDPB in India, which is likely to be submitted before Parliament soon in its final shape. India is considering expanding the scope of the law to include a category of sensitive personal data that would require compliance even if no data is gathered in India but is processed there.
The GDPR's fundamental principles of openness, data preservation, and security have been demonstrated to be universally applicable. Since 2018, there has been a significant change, with a recognition that handling personal data transparently and safely is a must.
On a worldwide scale, the GDPR is likewise raising the profile of privacy. The GDPR has been a very beneficial opportunity for privacy professionals, boosting privacy possibilities, career pathways, and jobs while also developing a stronger and more varied pool of privacy talent. More broadly, the GDPR has acted as a catalyst to move privacy to the top of CEO agendas in all businesses.
The GDPR has raised data privacy to a C-Suite priority within enterprises, hastened the maturation of many privacy programs, and has shifted many privacy programs from a tick-box compliance approach to developing a culture of privacy by design and responsibility. Organizations' desire to comply with the GDPR is unsurprising given the regulation's enforcement mechanisms.
The Future of GDPR Compliance and Data Privacy
While the GDPR has set the standard for a worldwide data protection framework, it may be improved by aligning its approach with existing international law principles.
The "Schrems" cases have caused a lot of confusion in recent years, and the adequacy process has been less than open. The procedure of evaluating whether a country fulfills the EU criteria is cumbersome, and the legislation may be reinforced by drawing on existing concepts of cross-border cooperation in other international trade.
Organizations are keenly monitoring the EU's planned ePrivacy Legislation, which will replace the ePrivacy Directive in defining standards for electronic communications, as well as suggestions for artificial intelligence regulation as they work through GDPR compliance. Privacy experts believe these plans must comply with the GDPR when they are reviewed.
The GDPR's principles, such as accountability, openness, and justice, can serve as a model for future legislation, with the purpose of developing rational and practical solutions that protect persons. To avoid fragmentation of data governance laws inside the EU, the next legislation should seek significant conformity with GDPR rules.