GDPR is a European Union law that was enforced to protect the data of citizens of EU. This law also lay down the regulations relating to the free movement of personal data. It was enforced in May 2018.
The law states that every organization inside EU or outside EU that has access or organizations that are process the data of EU residents must comply with GDPR. It does not matter if the organization has its office in EU or outside European Union.
Does the GDPR affect US companies?
Since GDPR has extra-territorial scope, US companies are affected by this law. Any U.S company that processes the data of EU residents is obligated to comply with the GDPR. This simply means if any U.S company has a website and they have visitors from the EU, the GDPR applies to your domain. So here that company has to meet the GDPR requirements and conditions for processing data. Any company that does not comply with GDPR and does not protect the data of EU residents have to pay heavy penalties and fines.
The following considerations may provide an indication of the most important tasks that will be needed for US companies to be GDPR compliant:
- Map your company’s data
Audit all the personal data that your company process and document what you do with the data. Find out if you have access to EU resident’s personal data and your organizations has then you have to comply with GDPR.
- Controllers and Processors
Identify if your organization fall into the category of a data processor or a data controller under the new GDPR guidelines. Organization that process personal data on behalf of a controller is called data processor and that determines the purposes and means of how customer data is to be processed is called data controller. Here the thing to consider is that both controllers and processors have different implications concerning how they comply with the GDPR for US companies.
- Data Protection Officer
GDPR sets out regulations regarding Data Protection Officer. Companies that have offices outside EU and still process data of EU residents needs to have data protection officer in EU.
- Data Breach Notification
Under GDPR regulation it is mandatory for all organizations to report the data breach event to the appropriate data protection within 72 hours.
- GDPR Penalties and Fines
U.S companies that have access to personal data of EU residents must comply with GDPR elsethe hefty penalties associated with non-compliance of GDPR could reach into millions of dollars. Penalty can be between €20 million or 4% of the company’s annual turnover, whichever is higher.