In May 2018, the European Union introduced the General Data Protection Regulation (GDPR) law. All companies that sell products or services in the EU are required to comply with GDPR whether the firm is located in the region or not. As far as U.S. companies are concerned, a few have been fined and several firms are not yet GDPR compliant.
The U.S. impact
“In the first nine months of the GDPR’s effectiveness, there were over 205,000 cases reported to EU supervisory authorities and other data protection watchdogs. About 65,000 of these concerned data breaches,” according to Crowell Moring. The breaches ranged from minor incidents such as promotional emails, telemarketing, and emails sent to wrong addresses, to major incidents like hacks that affected millions of people, illegal surveillance, compromising advertisement personalization, consumer activity tracking, and so on.
Some of the biggest fines imposed by the EU are on American companies. In July 2019, it was reported that the hotel chain Marriott was charged with a fine of around US$123 million for a data breach that started in 2014 and lasted well into 2018. Over 5 million people had their passport details stolen. About 8 million credit card details were also compromised. In total, 30 million EU residents were estimated to have been affected by the breach. In January 2019, Google was fined US$56.8 million for not providing their users with sufficient information regarding data consent policies and proper control over how their personal information is to be used.
Research by California-based Talend states that “only 20 percent of companies verified identification before providing personal data… Public sector and media/telco industries are the worst offenders with only 32 percent and 29 percent compliance rates respectively… The average company provides personal data from requests after 16 days,” according to CMS Wire. The report also found that a lack of automation in processing requests is a major reason why several U.S. companies were unable to comply with GDPR requirements.
What U.S. companies should keep in mind
All American companies operating in the EU and involved in processing personal data from people in the region should inform users as to why they are processing the data in the first place. They must conduct a thorough data protection impact assessment so as to understand the security risk involved in processing user data and identify ways to minimize such risks. Companies should implement end-to-end encryption to limit their data exposure in case of breaches.
All firms have to follow the “Data protection By Design and By Default” guidelines as mandated by GDPR. U.S. corporations should also make sure that they have data processing agreements with their vendors as well. “You, as the data controller, will be held partly accountable for your third-party clients if they violate their GDPR obligations. So it’s important to have a data processing agreement that establishes the rights and responsibilities of each party. This includes your email vendor, cloud storage provider, and any other subcontractor that handles personal data,” according to the official GDPR website.
Larger organizations must have a data protection officer who should be qualified according to GDPR guidelines and be fully educated about his duties. According to Article 27 of the GDPR, some non-EU organizations are obliged to appoint a representative in a member state of the European Union.