GDPR (which stands for general data protection regulation) is a European regulation designed to protect the personal data of EU citizens, enforceable from May 25, 2018. So why, as a US-based company, should I care about GDPR?
The first and most obvious reason lies in GDPR’s long-arm jurisdictional scope. Contrary to the Directive 95/46/EC which it replaces, GDPR extends the reach of EU data protection law beyond the EU borders.
GDPR applies to :
A few US-based businesses may well fall within GDPR’s scope under this first prong since the Court of Justice of the European Union (CJEU) tends to construe the term « establishment » very broadly. The CJEU ruled that « any real and effective activity being exercised through stable arrangements » may be enough to qualify as an establishment under European data privacy law.
The CJUE held that a data controller is established within the EU when it :
Even if you do not have any establishment within the EU, the GDPR might reach you nonetheless since it applies to organizations that :
As infringements of the GDPR may be subject to administrative fines up to 4 % of the total worldwide annual turnover of the contravening organization or €20,000,000 (whichever is greater), US-based businesses that fall within the GDPR’s extraterritorial scope have no choice but to comply with the GDPR.
However, only a few non-EU organizations have been fined as a result of non-compliance so far. The main reason is that local data protection authorities do not always have the necessary means to ensure that all the organizations follow the regulation. As far as France is concerned, the CNIL’s recent decision to impose a financial penalty of €50,000,000 on Google LLC. may be the exception that proves the rule.
In addition, even when the local data protection authority imposes a fine on a non-EU organization, it may face issues to enforce the sanctions in another jusrisdiction.
Therefore, the enforcement of sanctions over non-EU organizations seems unlikely.
When dealing with EU customers, the real threat for a US-based company is to lose ground to its competitors as a result of not being compliant with GDPR. If you have to process personal data of EU citizens on behalf of a client, you will have to comply with the GDPR.
As a growing number of EU-companies are implementing compliance programs, measuring GDPR compliance has become a significant challenge for sourcing departments.
As part of their risk mitigation strategies, most EU-based companies perform due diligence on their potential suppliers or service providers. To assess GDPR compliance, they put in place detailed questionnaires which are very likely to include the following questions:
A wrong answer to one of these questions might cause your potential client to turn to your competitors. As a result, not only should you need to be actually compliant with GDPR, but also you should be ready to answer all types of questions about GDPR compliance.
Conversely, being proactive in implementing measures to comply with GDPR may make you gain a competitive edge. A company may very well derive a competitive advantage from strict GDPR compliance. And this is true even if you are not subject to GDPR. GDPR sets out high standards and raising the bar for cybersecurity might be beneficial for your organization even if you are not in scope.
In conclusion, although responding to significant changes in data regulation may be a heavy burden (especially for the smallest organizations), you should look at GDPR as a way to build business opportunities rather than an obstacle.
LES DERNIERS ARTICLES