What does GDPR mean for US companies

What does GDPR mean for US companies?

When the General Data Protection Regulation (GDPR), Europe’s most comprehensive data privacy law to date, went into effect on May 25, 2018, it turned the digital world upside down.

The GDPR governs personal data, which is defined as any information that may be used to identify a specific person, also known as a “data subject.” Affected businesses must honor data subjects’ requests for how their personal data is treated and retain records of that processing.

Despite being based on EU law, the scope of this groundbreaking data protection and privacy regulation extends far beyond the EU’s physical borders, as well as the European Economic Area (EEA) and Switzerland (hereafter referred to as EEA for brevity). This includes the United States (US), the EU’s most important trading partner.

What does GDPR mean for US companies?

Because it is extraterritorial in scope, the GDPR applies to businesses outside of the EU. Specifically, the law is intended to defend the rights of data subjects rather than to govern corporations. Any person in the EU, including citizens, residents, and maybe tourists, is a “data subject.”

In effect, this means that if you collect any personal data from anyone in the EU, you must comply with the GDPR. The information could be in the form of email addresses from a marketing list or the IP addresses of website visitors.

You might be wondering how the European Union will enforce a legislation in a country where it has no power. Foreign governments frequently aid other countries in enforcing their laws through mutual aid accords and other measures. Article 50 of the GDPR answers this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.

What does GDPR mean for US companies
GDPR sign illustration

According to Recital 23, foreign companies are required to comply with the GDPR only if they target EU residents with their marketing.

A US company has to comply with GDPR if:-

  • They routinely process the data of EU citizens.
  • They handle information about health condition, racial or ethnic origins, sexual orientation, and religious beliefs, among other things.
  • The rights and freedoms of those data subjects may be at risk.

Leave a Comment

Your email address will not be published. Required fields are marked *