GDPR for US Companies Selling into The European Union

Many people make the mistake of believing that the upcoming General Data Protection Regulation (GDPR) only applies to businesses and organisations that are based within the EU. This is not the case.

GDPR applies to any business which holds the personal data of anyone residing within the EU, or employs people within the EU. This means that a company selling within the EU needs to comply with GDPR requirements.


What should companies do to ensure this happens?


Any company that deals with mass personal monitoring, or handles a large amount of sensitive personal data, will need to have a data protection officer (DPO) in place. It is the job of the DPO, and any business or company overall, to carry out an audit of the data they hold and determine what constitutes personal data. There is no check list to identify personal data; it is basically any data, or group of data, that can be used to identify an individual.

Any company that sells within the EU will need to know what data is held, where the data is held and who has access to it. Companies will also need to examine GDPR requirements and ensure that they are adhered to. All of this is necessary in order for companies to comply with GDPR and avoid heavy fines and other sanctions. This is an important consideration when you consider that the maximum possible fine is 4% of a company’s annual turnover; potentially a large amount of money.