GDPR (which stands for general data protection regulation) is a European regulation designed to protect the personal data of EU citizens, enforceable from May 25, 2018. So why, as a US-based company, should I care about GDPR?
GDPR’s long-arm jurisdictional scope reaches many US-based companies
The first and most obvious reason lies in GDPR’s long-arm jurisdictional scope. Contrary to the Directive 95/46/EC which it replaces, GDPR extends the reach of EU data protection law beyond the EU borders.
GDPR applies to :
Any entity established in the EU within the meaning of EU law.
A few US-based businesses may well fall within GDPR’s scope under this first prong since the Court of Justice of the European Union (CJEU) tends to construe the term « establishment » very broadly. The CJEU ruled that « any real and effective activity being exercised through stable arrangements » may be enough to qualify as an establishment under European data privacy law.
The CJUE held that a data controller is established within the EU when it :
Operates a website « mainly or entirely directed» at a specific member state of the European Union and;
Has appointed a local representative responsible for performing various duties including recovering the debts resulting from that activity and representing the data controller in administrative and judicial proceedings relating to the processing of the data concerned.
Any entity that is processing personal data of EU citizens irrespective of its place of establishment
Even if you do not have any establishment within the EU, the GDPR might reach you nonetheless since it applies to organizations that :
Process EU residents' personal data in connection with the offering of goods or services; or
Monitor the behavior of data subjects located in the EU.
As infringements of the GDPR may be subject to administrative fines up to 4 % of the total worldwide annual turnover of the contravening organization, US-based businesses that fall within the GDPR’s extraterritorial scope have no choice but to comply with the GDPR.
However, only a few non-EU organizations have been fined as a result of non-compliance so far. The main reason is that local data protection authorities do not always have the necessary means to ensure that all the organizations follow the regulation. As far as France is concerned, the CNIL’s recent decision to impose a financial penalty of €50,000,000 on Google LLC. may be the exception that proves the rule.
In addition, even when the local data protection authority imposes a fine on a non-EU organization, it may face issues to enforce the sanctions in another jusrisdiction.
Therefore, the enforcement of sanctions over non-EU organizations seems unlikely.
Non-compliance with GDPR may cause US-based companies to lose business to their competitors
When dealing with EU customers, the real threat for a US-based company is to lose ground to its competitors as a result of not being compliant with GDPR. If you have to process personal data of EU citizens on behalf of a client, you will have to comply with the GDPR.
As a growing number of EU-companies are implementing compliance programs, measuring GDPR compliance has become a significant challenge for sourcing departments.
As part of their risk mitigation strategies, most EU-based companies perform due diligence on their potential suppliers or service providers. To assess GDPR compliance, they put in place detailed questionnaires which are very likely to include the following questions:
Have you undertaken formal gap analysis or an information audit against the requirements under GDPR?
Have you created a record of your processing of personal data?
Could you provide details of the technical and organizational measures your organization has put in place to ensure that any personal data you hold on our behalf is kept in compliance with the GDPR?
Is data protection training provided to your staff?
If you plan to sub-contract any part of your work, do you have a contract in place with your sub-contractor that includes data processing obligations?
Will you, or any third parties acting on your behalf, be processing any of our personal data outside of the European Union?
A wrong answer to one of these questions might cause your potential client to turn to your competitors. As a result, not only should you need to be actually compliant with GDPR, but also you should be ready to answer all types of questions about GDPR compliance.
Conversely, being proactive in implementing measures to comply with GDPR may make you gain a competitive edge. A company may very well derive a competitive advantage from strict GDPR compliance. And this is true even if you are not subject to GDPR. GDPR sets out high standards and raising the bar for cybersecurity might be beneficial for your organization even if you are not in scope.
In conclusion, although responding to significant changes in data regulation may be a heavy burden (especially for the smallest organizations), you should look at GDPR as a way to build business opportunities rather than an obstacle.