Broker Check

GDPR Compliance for US Organizations

February 28, 2020

The General Data Protection Regulation (GDPR) has been in force in the European Union since 5/25/18, but according to the Cyber Security Intelligence website almost 30% of businesses are not compliant. Since GDPR applies to organizations outside the European Union who collect data on EU residents, it is important to know what activities are affected and what constitutes personal data.

The GDPR differentiates between collection and processing data. Collection must take place in the EU, but processing can be done anywhere if the activities are related to the offering of goods or services, or monitoring data subjects' behavior within the EU.

For what constitutes "personal data" under the GDPR, a post on the Compriseh2020 website "Personal Data: Concept and Categorisation" discusses this in detail.

Personal data is any information related to an identified or identifiable natural person. An "identifier" is any factor specific to the identity of that person. This is a broad definition covering both objective and subjective information, in any form.

The GDPR does not list identifiers but gives examples. An exception is Article 9 (1) which does list particularly sensitive data. (Refer to the article for details.) 

If your organization collects and/or processes personal information of natural persons within the EU, you should become familiar with GDPR requirements. Even if you don't do business in the EU, those requirements are being used to update state laws. California's privacy and protection law took effect 1/1/20, and may be amended to allow individuals to sue violators. At least ten states and a number of foreign countries are working on privacy laws modeled on the GDPR.

Non-compliance is expensive. Fines can be up to 20,000,000 Euros or 4% of a company's worldwide annual turnover. According to the Comprise article, fines have already reached 144,866,145 Euros and can be expected to increase.