Remember the cookie consent popups that began appearing on websites earlier this year?
They began thanks to the European Union’s General Data Protection Regulation (GDPR), which came into effect and impacted US businesses starting in May 2018.
US organizations may be subject to the GDPR, according to a November 28 seminar co-hosted by the Indy Partnership and U.S. Department of Commerce at Bingham Greenebaum Doll. The seminar featured US embassy and legal experts that helped decode the legislation into actionable steps to mitigate company risk. Key takeaways were:
The GDPR protects individuals’ personal data and its free movement in the EU.
US-based companies, non-profits, universities, and even local governments may all need to become GDPR-compliant, based on their business.
Does your organization:
If you answered yes to any of the above questions, the GDPR may apply to your organization.
Any organization that houses personal data from EU individuals needs to comply. Personal data can include names, emails, addresses, ID numbers, location data (for example the location data function on a mobile phone), IP addresses, a cookie ID, and more.
Penalties for non-compliance can include being reported to the Federal Trade Commission in the US, or fines of up to 4% of annual revenue or up to EUR 20 million or roughly USD 22 million (whichever is higher). Or simply, EU-based partners may avoid doing business with non-compliant entities, due to the requirements they must follow.
US organizations must establish clear policies and practices to protect the personal data of EU individuals that is housed or processed within their organization. Websites could include consent forms for use of personal data and provide privacy policies. US companies can also voluntarily self-certify their compliance for data transfers from the EU to the U.S. through the Privacy Shield Framework, designed by U.S. Department of Commerce and the European Commission and Swiss Administration. Other mechanisms to certify compliance are available through private companies.