Remember the cookie consent popups that began appearing on websites earlier this year?
They began thanks to the European Union’s General Data Protection Regulation (GDPR), which came into effect and impacted US businesses starting in May 2018.
US organizations may be subject to the GDPR, according to a November 28 seminar co-hosted by the Indy Partnership and U.S. Department of Commerce at Bingham Greenebaum Doll. The seminar featured US embassy and legal experts that helped decode the legislation into actionable steps to mitigate company risk. Key takeaways were:
About the GDPR:
The GDPR protects individuals’ personal data and its free movement in the EU.
Organizations that need to comply with the GDPR:
US-based companies, non-profits, universities, and even local governments may all need to become GDPR-compliant, based on their business.
To whom it applies:
Does your organization:
- Offer goods or services to individuals in the EU?
- Monitor the behavior of individuals?
- Have employees in the EU?
- Target the EU market in any way?
If you answered yes to any of the above questions, the GDPR may apply to your organization.
Any organization that houses personal data from EU individuals needs to comply. Personal data can include names, emails, addresses, ID numbers, location data (for example the location data function on a mobile phone), IP addresses, a cookie ID, and more.
Penalties for non-compliance:
Penalties for non-compliance can include being reported to the Federal Trade Commission in the US, or fines of up to 4% of annual revenue or up to EUR 20 million or roughly USD 22 million (whichever is higher). Or simply, EU-based partners may avoid doing business with non-compliant entities, due to the requirements they must follow.
How to become compliant:
US organizations must establish clear policies and practices to protect the personal data of EU individuals that is housed or processed within their organization. Websites could include consent forms for use of personal data and provide privacy policies. US companies can also voluntarily self-certify their compliance for data transfers from the EU to the U.S. through the Privacy Shield Framework, designed by U.S. Department of Commerce and the European Commission and Swiss Administration. Other mechanisms to certify compliance are available through private companies.
Need more information?
Still have questions? You can also contact our hosts and presenters:
- Jennifer Pearl, Director of International Programs, Indy Partnership (firstname.lastname@example.org)
- Mark Cooper, Director, U.S. Commercial Service, Indianapolis, Indiana (email@example.com)
- Isabelle Roccia, the Senior Advisor for Digital Policy, Privacy, Cybersecurity – U.S. Mission to the EU (Roccia@trade.gov)
- Andrew Steele, Policy Advisor & Administrator of Privacy Shield Team – U.S. Department of Commerce (Steele@trade.gov)
- John F. McCauley (CIPP), Partner at Bingham Greenebaum Doll LLP, Indianapolis Indiana (JMcCauley@bgdlegal.com)