EU GDPR: Should American Companies Be Worried?
Here’s what you need to know:
EU GDPR was adopted on 8th April 2016 and this data protection framework is expected to replace the current directive on 25th May, 2018. General Data Protection Regulation was designed to replace the Data Protection Directive 95/46/EC and harmonize data protection laws all over Europe. The primary objective of General Data Protection Regulation is to empower the EU citizens’ privacy, protect them from privacy breaches along with an intention to reshape the way organizations across the regions perceive data privacy. Companies that have not yet adopted the new system will be subjected to heavy fines. The big question is whether the GDPR is applicable to companies in the United States?
Applicability of GDPR to Companies outside of EU:
Since the traditional practice is being upgraded to GDPR, changes are to be expected but to what extent actually? And how will they impact companies? Here’s a briefing of what is yet to come;
General Data Protection Regulation extends the jurisdiction, the target of this application is all the companies currently residing in the Union, despite the location of the company. Data Protection Directive was comparatively ambiguous. The application of General Data Protection Regulation has few objectives;
- Processing personal Data via controllers
- Processing in EU
- Not taking account of the whether the processing is being done EU or not
Non-EU data processing business organizations of EU citizens will be required to appoint a representative in the EU.
Companies that are violating the privacy by design’s core by lacking in significant consents to process data will be subjected to serious infringements, under the General Data Protection Regulation organizations those in breach will be fined near 4% of the annual global turnover or €20 Million. Other regulations include;
- Companies having Unorganized records will face a 2% fine (article 28)
- Having a data breach and not reporting about it to the authority shall be fined along with a report of impact assessment should be presented.
- These regulations do not discriminate between controllers or processors.
- Exemption of ‘Clouds’ will not be observed from General Data Protection Regulation enforcements.
The term “Consents” has been taken very seriously and its impact has been strengthened, companies will be from then on restricted to use their traditional practices of having illegible terms and conditions contracts. The new consent must be provided with an intelligible and highly easy accessible form that lists the purpose of requiring such sensitive data and where it shall be applicated. Companies would be required by law to follow the following obligations:
- Designing consent forms that are clear to the reader and points can be understood clearly because of zero ambiguity.
- Distinguishable along with being intelligible.
- Being easily accessible.
- Having plain language.
- Designed in a manner that it is easy to withdraw consents
So, if you are a company that is either in the EU region or outside of it, you will need to think seriously about the law. Please feel free to drop in a comment or write to us if you want to know more in making your company compliant of GDPR.