What American Tech Companies Need to Know about GDPR

The ever-changing digital market necessitated the introduction of General Data Protection Regulations (GDPR) to safeguard privacy and ensure data protection for EU citizens, but what effect will this have on American companies, particularly American tech companies? The GDPR brings in a raft of measures that strive to achieve greater data protection. It will also help to inform data subjects about the personal data that is being stored and used by organizations conducting business with the EU, or operating within the EU. The new law is set to affect many companies that handle EU citizens’ personal data.

Applicability of the GDPR in America

American technology companies will most likely be required to comply with the impending EU data protection regulation, as they will most likely want to do business with customers in the EU. Initially, most people thought that the law would apply to European Union companies only; the truth is that the rules apply to organizations that carry out business within the EU regardless of their own physical location. These include online business websites targeted at individuals based within the EU. While merely being accessible to EU users does not automatically mean the sites will need to be GDPR compliant, clearly offering services to those located in the EU by displaying prices in euro (€) would be.

Most American tech firms use cookies to track internet users’ activities. This means that the law will have significant implications for many American companies given that the law includes cookies in the definition of personal information. Most of them will have to ensure implementation of privacy protections and embrace an end-to-end data safeguarding approach.

Personal information under the GDPR definition includes information that can be used to identify a person. This includes names, telephone numbers, addresses, email addresses, credit card information, individual IP addresses, medical information, and photos. In this case, firms that do business with the EU or monitor the behavior of individuals located in the EU must comply with the requirements unless they fall into a specific category such as law enforcement agencies. Failure to do so may lead to consequences including heavy financial penalties.

The Purpose of GDPR

The new EU law is designed to serve one main purpose that comes with a lot of responsibilities. It seeks to offer equal protection to laws and freedoms of natural persons in the EU by protecting personal data and providing standardized data protection laws. This includes how data is captured, stored, used, shared, and deleted once it is no longer required. It will grant more control, power and rights to those within the EU with regards to their personal information. The GDPR aims to ensure that companies adopt methods and structures to ensure persons’ data are only used for the purpose consented to. It should not be accessed by third parties without prior approval from the data subject and it should not be stored in geographic locations that lack strong data protection regulations and systems.

Key Changes

The new EU regulation modifies the current Data Protection Directive and introduces several new elements to strengthen the data protection rule. These fundamental changes are likely going to alter the way most organizations operate today. Notably, the law will change the manner in which companies collect, manage, and administer data. The main areas that firms must take into consideration when adjusting their systems, processes and procedures to comply with the requirements are discussed below.

GDPR Consent

Under the GDPR, consent remains a legal basis to transfer and process data. However, the new regulation includes a more precise definition. While the current law allows the controllers to use implicit and opt-out consent in some situations, the new regulation will need data subjects to provide a statement or give a clear affirmative action to indicate agreement. It has to be given freely, specifically, and in an informed and unambiguously manner. Pre-checked boxes and inaction are no longer valid methods of obtaining consent. The requirements for processing sensitive data remain unaltered. However, the GDPR adds more items to special categories. It also introduces restrictions on the minors’ ability to approve data processing without parental authorization.

Rights under GDPR

There are certain key rights that users are entitled to under the GDPR. These include the right to be forgotten and the right to data access. American tech companies, as well as any other company, must know that data subjects have the right to request to see what information is stored about them by different organizations. They will have the right to confirm if their data is being processed, as well as how and where the process is being done.

It is a criminal offense to deny data access to anybody who willingly provided it under GDPR. The law requires that access should be granted for free. Consumers’ information must be deleted from storage devices or systems when requested. Other rights enshrined in the new law include the right to data portability, right to information, information correction, right to restrict processing and the right to notification.

GDPR Breach Notification

The era when breach notification was to some extent left to the discretion of the organizations comes to an end when the new EU regulations come into force on May 25, 2018. Under this law, notifications for data leaks or breaches must be reported to supervisory authorities within 72 hours of the organization becoming aware of the breach. The affected companies will have to notify both the local authorities and the public in certain situations. Failure to observe the time limit may lead to significant fines. Both the data controllers and the processors are mandated to communicate to the supervising authorities concerning the breach.

Consequences of Non-Compliance

Companies should be aware that GDPR sets a high bar for data infringement. The law has huge penalty regimes that most business would not want to face. It also gives the regulatory authorities powers to perform on-site audits to warn, reprimand, and execute precise remediation activities. Non-compliant organizations are liable to a fine of up to €20 million or 4% of worldwide annual revenues, whichever is higher, in the case of serious violations.