Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

In May of this year will see the new EU’s General Data Protection Regulation come into law. It will bring about a seismic shift in the data security landscape. For our US-based customers and you have only been following the major headlines, then you would have seen “the Right to be Forgotten”, “Subject Access Request”, “72-hour breach notification” as well as very strong fines from non-compliance. GDPR definitely has some teeth and you are going to have to take notice of it.

EU companies are preparing for the new GDPR legislation, each of them on their own journey to be ready by the May deadline and create a plan with policies in place to show the regulator they have readied themselves for GDPR. The question we get asked a lot about is what about the US companies that have no direct business in the EU, do they need to concern themselves with GDPR?

Well, the answer is yes. Here’s why. If you are a US based company and have a presence in the EU and are collecting personal data, GDPR will apply to your company and so will the fines!

Geographical implications

Article 3 of the new GDPR states that if a company collects Personal data from someone in an EU country they must comply with GDPR. To clarify this further, it means that GDPR only applies if the Data Subjects are in the EU when the data was collected. If the EU citizen is outside of the EU when the data was collected then GDPR will not apply.

Specific consent

The U.S. companies that are selling or direct marketing into the EU will have to adjust their forms to allow for specific consumer consent. The language of the GDPR legislation means that consent must be freely given. Gone are the days where companies can add multiple lines of small print and use that as an excuse. Consent under GDPR means it has to be specific, informed, and unambiguous.

To show this in practice, I will use a Florida based company running a marketing campaign into Germany using a marketing web form to collect email address for a specific project. The Florida based company will need to use clear language informing the data subject what they intend to do with the email addresses once collected as well as a clear check or tick box for consent to use their data.

Once this data has been collected the US companies will have to protect it under the GDPR legislation. If they follow existing data security standard such as PCI DSS this new legislation this should not be a problem.

Breach notification

Part of the new GDPR legislation is the 72-hour breach notification rule which does give some leeway in weighing up the risks to the data subject, but if you have a breach containing a large number of email addresses or sensitive data such as medical or financial data or any sensitive data relating to children then all would require notification to the EU regulator within 72 hours.

There will be ongoing questions about how the EU regulator will enforce these actions against US companies that are doing business and collecting data over the web. However, the EU is very serious in unifying the data privacy laws of its citizens and has already changed the web practices of US companies.

What this means is US companies have to take note of these changing practices and take the adequate steps to make sure they do not become a headline after the 25th of May 2018.

Want to keep up with all our blog posts? Subscribe to our newsletter!

Subscribe