New Data Handling Regulations from Across the Pond May Affect U.S. Businesses

Olivier Le Moal / Shutterstock.com

On May 25, 2018, a significant new set of regulations go into effect across Europe and around the world that will greatly impact virtually any business that has an internet presence. The time for compliance is approaching very quickly but 60 percent of all businesses affected are not ready to be in compliance.  This number is concerning given that violations of new regulations carry huge fines that could cripple businesses of all sizes.

The General Data Protection Regulation (GDPR) was initiated to give consumers in Europe greater control over their personal data. GDPR impacts any business that has customers located within Europe and affects all businesses regardless of physical location, company size, or scope of business. While the emphasis first appears to be on European organizations, the regulations apply to businesses anywhere in the world that process the personal data of European Union (EU) residents. In today’s vast global internet world without borders, those not affected make up a very short list.

Article 3 of the GDPR says that if your organization collects personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Businesses will need to be much clearer about the information they hold on people and give them more control over how it disseminated and managed. Compliance is likely to be easier for heavily-regulated business-to-business sectors such as banking and insurance, but retailers and companies that deal directly with consumers need to be particularly aware of the new regulatory environment.

Many business entities outside Europe who failed to thoroughly understand the implications of the looming regulations are suddenly waking up to their new reality. Robert Bond, a partner at London law firm Bristows, says, “Already this morning, there have been three overnight calls from the U.S., saying we don’t have anything in place but we’ve realized this applies to us, do you have a quick fix solution?  I think there’s an awful lot of businesses out there, particularly outside the EU, that have suddenly realized the extra territorial nature (of GDPR) and that’s come as quite a shock. They are assuming it’s a tick the box exercise, which of course it isn’t.”

U.S. based hospitality, travel, software services and e-commerce companies will certainly have to consider their online marketing practices and determine the risk of non-compliance as well as any other U.S. companies that have identified a market in an EU country. GDPR requires organizations to identify a security strategy and adopt adequate administrative and technical measures to protect EU citizens’ personal data.

Given the existing costs associated with irresponsible handling of consumer’s personal data, few organizations can afford complacency about cybersecurity. While the heavy fines for non-compliance to GDPR compounds the penalties for cybersecurity ignorance, the new regulations offer an additional incentive and opportunity for companies to implement policies that may help them avoid a future data breach and the significant calamity to normal business operations that results.