What American Tech Companies Need to Know about GDPR

The ever-changing digital market necessitated the introduction of General Data Protection  (GDPR) to safeguard privacy and ensure data protection for the EU citizens.  GDPR brings in a raft of measures that guarantee greater data protection. It will also help to inform data subjects of their personal data storage and use by organizations transacting business with the EU or operate within Europe. The new law is set to affect many companies that handle EU citizens’ personal data. Notably, the regulation will have a significant impact on how American technological businesses operate.

Applicability of GDPR in America

American technology companies have all the reasons to comply with the impending EU data protection regulation. Initially, most people thought that the law would apply to European Union companies only; the truth is that the rules apply to organizations that transact business with the EU regardless of their location. These include online businesses’ websites accessible by the citizens of the EU. Most American tech firms use cookies to track internet users’ activities. This means that the law will have significant implications for many American companies given that the law includes cookies in the definition of personal information. Most of them will have to ensure implementation of privacy protections and embrace the end-to-end data safeguarding approach.

Personal information under GDPR defines information that relates to the identifiers of a person and includes names, telephone numbers, addresses, email ad, credit card information, individual IP address, medical information, and photos. In this case, firms that do business with the EU or monitor the citizens’ behavior must comply with the requirements unless they are law enforcement agencies or collect data for national security. Failure to do that leads to consequences including heavy penalties.

The Purpose of GDPR

The new EU law is designed to serve one main purpose that comes with a lot of responsibilities. It seeks to offer protection to the personal data of European Union citizens by providing standardized data protection laws. This includes how data is captured, stored, used, shared and deleted once it is not required. It will grant the citizens more control, power and rights to their personal information. GDPR aims to ensure that companies adopt methods and structures to ensure persons’ data are only used for the consented purpose. It should not be accessed by third parties without prior owners’ approval and it should not be stored in geographic locations that lack strong data protection regulations and systems.

Key Changes

The new EU regulation modifies the current DPA and introduces several new elements to strengthen the data protection rule. These fundamental changes are likely going to alter the way most organizations operate today. Notably, the law will change the manner in which companies collect, manage, and administer data. The main areas that firms must take into consideration when adjusting their systems, processes and procedures to comply with the requirements are discussed below.

GDPR Consent

Under the GDPR, consent remains a legal basis to transfer data. However, the new regulation restricts its definition. While the current law allows the controllers to use implicit and opt-out consent in some situations, the new regulation will need data subjects to provide a statement or give a clear affirmative action to indicate agreement. It has to be given freely, specifically, informed and unambiguously. The requirements for processing sensitive data remain unaltered. However, GDPR adds more items to special categories. It also introduces restrictions on the minors’ ability to approve data processing without parental authorization.

Rights under GDPR

There are certain key rights that users are entitled to under GDPR. These include the right to be forgotten and the right to data access. American tech companies, as well as any other company, must know that data subjects may request to see their information stored by their organizations. They will have the right to confirm if their data is being processed, how and where the process is being done.

It is a criminal offense to deny data access to anybody who willingly provided it under GDPR. The law requires that access should be granted for free. Consumers’ information must be deleted from storage devices or systems when requested. Other rights enshrined in the new law include the right to data portability, right to information, information correction, right to restrict processing and the right to notification.

GDPR Breach Notification

The era when breach notification was to some extent left to the discretion of the organizations comes to an end when the EU new regulations come into force on May 25, 2018. Under this law, notification for data leak or breach will be made immediately when they occur within 72 hours. The affected companies will have to notify both the local authorities and the public. Failure to observe the time limit may lead to significant fines. Both the data controllers and the processors are mandated to communicate to the supervising authorities concerning the breach.

Consequences of Non-Compliance

Companies should be aware that GDPR sets a high bar for data infringment. The law has huge penalty regimes that most business would not want to countenance. It also gives the regulatory authorities powers to perform on-site audits to warn, reprimand and execute precise remediation activities. Non-compliant organizations are liable to a fine of up to €20m or 4% of worldwide annual revenues.