When the General Data Protection Regulation (GDPR) becomes law across the European Union, it will also affect non-EU countries. This is because GDPR applies to all businesses and organisations that are involved with the processing of the personal data of individuals who are within the EU, no matter where that business or organisation is located.
This does not just apply to EU citizens, but to citizens of any country who are within the EU when data is collected from them and processed. Itis also worth noting that GDPR regulations do not apply to EU citizens whose personal data is collected and processed outside of the EU. The need for GDPR compliance can be difficult for non-EU countries, such as the US, as their attitude to the protection of personal data is very different to that of the EU.
The EU attitude to Data Protection
The ethos behind GDPR is that every individual should be entitled to privacy as a basic human right. This is why the new regulation sets out to harmonise the way that personal data is processed throughout the EU. The stipulations help to ensure that personal data is dealt with securely, in order to protect the privacy of individuals.
The US Attitude to Data Protection
There is no overall expectation of privacy in the US. Instead, personal data tends to be regulated depending on the subject matter. Examples of this are HIPPA which regulates health data and GLBA which regulates financial data. What all of this means is that some information which is protected by GDPR requirements may not be protected under US law. Therefore, processing the personal data of EU citizens will have different rules attached to it than processing the personal data of non-EU citizens, once GDPR becomes law.
How does this Affect US Companies?
Dealing with two different attitudes towards data protection is likely to be too complicated for many US businesses and organisations. It will be too onerous to have separate systems for different groups of customers, depending on where they are located. It is also worth noting that one individual could be subject to two different sets of rules. For example, a man could purchase a TV from a US company, while at home in Texas. The data processed would be subject to US rules. He could then go on vacation to France and order more equipment from the same supplier while he is away. The data processed would be subject to GDPR rules, as the man is within the EU at the time of processing. You can see how complicated the situation can get.
This is why the most appropriate approach to adopt would be to treat data protection as an all-encompassing requirement in all aspects of data processing. This is a less complicated approach in the long term and helps to ensure that businesses and organisations are compliant with the GDPR. It remains to be seen how many US businesses and organisations adopt this approach.