Online shopping, connecting, as well as sharing have experienced significant growth in the past decade, triggering the need to offer cutting-edge protection for the users’ personal details. In response, the European Union (EU) has established the General Data Protection Regulation (GDPR) with the sole ensuring consumers enjoy a great deal control over their personal data in addition to making the block fit for the complicated and multifaceted digital age. The GDPR not only applied to the EU-based businesses but also any other business outside the region, especially those that do the following: offer products to individuals in the EU, monitor the behaviors of the EU people, and process personal data of individuals in the EU. The GDPR outlines a variety of requirements and penalties, while at the same time, focusing on rebuilding the deteriorating trust between individual consumers and the businesses that handle their personal data.
U.S. - Based Company with EU Operations
Requirements/scope . The GDPR has defined a broad range of requirements for a USA based company with a physical presence, product, employees, and customers in Europe and collects personal data. The first requirement involves accountability for handling people’s personal information. In essence, the company should have effective data protection policies, relevant documents on data processing, and reliable protection impact assessments (Merlin, 2017). For instance, the firm must be well positioned to document why it collects and processes people’s personal information, describe what type of personal data is held, and explain technical security measures. At the same time, if the company engages in regular, as well as large scale systematic monitoring of sensitive personal information, it has to hire a qualified data protection officer (DPO).
Delegate your assignment to our experts and they will do the rest.
Apart from the identified requirements, the GDPR requires the U.S. Company in question to not only adjust its EU-directed online marketing interactions but also forms with the sole purpose of obtaining explicit consumer consent (Merlin, 2017). According to the GDPR language, consent must remain unambiguous, freely given, informed, and specific. According to Maja (20016), one of the highly valued GDPR requirements revolves around the fact that individual data subjects must remain aware and informed about why, how, and where their data is collected, used, and transferred, respectively. Although the consent, as well as notification responsibility, falls on the information controllers, they must work hand-in-hand with the processors to ensure the various rights of the data subjects are not breached.
In addition to redefining online marketing for the companies, the GDPR has introduced a 72-hour breach notification. Sensibly speaking, this new requirement plays a central role in challenging the company’s information and technology (IT) department to consider upping its game when it comes to promptness. In essence, the GDPR requires to company’s IT department to analyze and report any violation involving unlawful, as well as accidental destruction, alteration, and loss, and unauthorized disclosure or access of processed, transmitted, or stored personal data (Merlin, 2017). In their analysis, the IT group should be well positioned to determine whether the exposed data identifiers have the potential of risking the EU data subjects’ rights and associated freedoms.
Potential Penalties
The GDPR comes with a broad range of hefty penalties, which apply to companies that violate its many requirements by mishandling both consumer data and associated information. In particular, Article 83 of the EU framework to personal data protection outlines two types of administrative fines, including 2% of the breaching firm’s annual global turnover (AGT) and up to 4% of its AGT (Cornock, 2018). Equally important, the level of the administrative fine depends a great deal on a number of determinations, including whether the violation in question was intentional or negligent, the presence and effectiveness of preventative and mitigation measures, nature and history of infringement, and timely notification of the breach. In this sense, the penalties do not necessarily end with administrative fine; given the law allows the affected data subject to seek compensation for any non-material, as well as material damages.
Liability Mitigating Actions
The U.S. based company can identify and integrate a variety of result-oriented remedies, which cover every aspect of compliance in addition to helping the firm avoid penalties. First, the company should notify an EU regulator of any exposure of personal data within 72 hours ( Paul & Michal, 2016 ). When faced with high risk, especially that which involves fundamental privacy or property rights, the company should also create and maintain an appropriate mechanism through which it accesses and notifies the data subjects. Besides adhering to the newly introduced 72-hour notification rule, the company can minimize liability by updating its privacy language, as well as content according to the GDPR requirements (Merlin, 2017). In this, the firm will be in the best possible position to avoid lawsuits and possible compensations or administrative fines.
Other remedies comprise implementing new roles when it comes to data collection and processing. In other words, the firm should prioritize briefing the management, as well as individual employees on the various benefits and risks associated with the GDPR ( Paul & Michal, 2016 ). Additionally, the company should place great emphasis on assessing the current and most effective data protection standards and amend any standard that does not align perfectly well with the new GDPR provisions. The company can achieve this by auditing its current data to establish existing and potential risks associated with personal information collection, processing, and transmission or sharing (Cornock, 2018). Concisely, the company can remain GDPR compliance by engaging all the responsible stakeholders in making informed and change-driven decisions on consumer data protection.
U.S. - Based Company without EU Operations
The GDPR does not exempt any firms with or without Web presence and markets their respective products over the World Wide Web (WWW). In this context, the original company located in Michigan remains subject to the various requirements by the GDPR since it collects personal data from people in EU countries ( Paul & Michal, 2016). The GDPR applies to this company because of the framework’s Article 3(2) on territorial or geographic scope, which provides that the collection of behavioral information from a person in any of the EU countries. Most importantly, the law only remains applicable if by the time the data is collected the affected data subjects were in the EU. In essence, this makes sense since each of the EU laws is applied in the region. As a result, for individual EU people outside the trading block when the company collects the data, the GDPR does not necessarily apply.
On the other hand, if the firm proceeds to gather personal data, the personally identifiable information (PII) in the U.S. language, as part of its target marketing strategy, then the collected data remains protected by the GDPR. Broadly speaking, the business organization has to target data subjects in the EU countries to remain liable for any damages caused. Therefore, the GDPR does not apply to generic marketing ( Paul & Michal, 2016 ). For instance, if an EU user finds the company’s webpage written in English for Michigan, U.S., or B2B customers and ends up suffering the consequences of a personal data breach, the GDPR does not cover their case. In contrast, if the marketing language and content refer to EU users, as well as customers, the firm’s webpage will meet the criterion for targeted marketing, which remains governed by the GDPR.
References
Cornock, M. (2018). General Data Protection Regulation (GDPR) and implications for research. The European Menopause Journal, 111 , A1-A2.
Maja B. (2016). Data Protection and Conflict-of-Laws: A Challenging Relationship . EDPL 3 , 333 – 334.
Merlin, C. (2017). The new territorial scope of EU data protection law: deconstructing a revolutionary achievement . Common Market Law Review, 54 , 567 – 590.
Paul, de. & Michal, C. (2016). Expanding the European data protection scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context . International Data Privacy Law, 2016, Vol. 6 (3).
