Useful Information about GDPR for US Companies
I recently I read an article about the General Data Protection Regulation (GDPR). I’m getting to sound like a broken record. Anyway, it brought up some interesting tidbits that I had not come across before. One of the questions posed had to do with target marketing, and asked whether an EU user who happened upon a US website would be protected under the GDPR. The answer is no.
According to the article, GDPR would only apply if the website was in the language of the country and references were made to EU or country-specific customers. If the website accepts currency of the country and has a country-specific domain suffix, such as .nl for the Netherlands, this presents even stronger evidence that GDPR applies.
The likely suspects are US-based hospitality, travel, software services, and e-commerce companies, But remember, any US-based company that has localized web content should take a good, hard look at it to ensure compliance. For others, online forms and interactions must be altered to obtain explicit consent. According to the article, “In the language of the GDPR, consent must be ‘freely given, specific, informed, and unambiguous.’”
When interactions fall within the GDPR guidelines, US-based companies will need a checkbox at the very least, accompanied by clear language on what it intends to do with email addresses. It’s not allowable to require users to click on a link to a ‘terms and conditions’ document. Additional checkboxes are needed for each use of an email address, such as promotions or affiliate marketing.
Let’s move on to other scenarios. Once the data is collected, it must be protected. “US companies will then have to protect it under the GDPR’s rules. For those that already follow existing data security standards – such as PCI DSS, ISO 27001, NIST – these new regulations should not be a burden.”
Doesn’t sound too onerous now does it? Oops, wait a moment. The 72-hour breach notification clause. Since most US companies don’t even tell us when there is a breach involving our personal information, or are either clueless, so they say, that a breach has occurred, this is going to be challenging, to say the least. I can’t wait to see this one play out! Not reporting a breach to the authorities within 72 hours carries a penalty of 2 percent of revenues. This is rarely talked about. That’s a lot of money.
If you are concerned about GDPR, I hope you take the time to read the article. I liked it as it was practical and to the point. Not GDPR scare tactics. Are you concerned about GDPR?
Join us for our Enough Talk – Solving GDPR Problems Through Metadata-Driven Compliance webinar, on Wednesday, March 14, 2018. This session explains not only the ramifications of General Data Protection Regulation (GDPR) but also how to address the compliance issues. It examines the tactical aspects of the solution, little-known stumbling blocks, and different tools that automate changes and provide an audit trail for compliance.