What Challenges does GDPR Present to American Companies?

Blog / What Challenges does GDPR Present to American Companies?

table of contents icon

Table of Contents

    Leonardo Koshoni
    Leonardo KoshoniOctober 20, 2021

    Head of Business Analysis

    GDPR, the European Union’s signature data protection law that came into force in the spring of 2018 has been called by some experts one of ‘the biggest changes to US privacy law’. However, GDPR compliance challenges for US companies really derive from the fact that American companies don’t realize that GDPR applies to them! So, let’s look at some of the challenges thrown up by GDPR along with which US companies may be implicated. 

    GDPR is extraterritorial and the EU is getting more aggressive

    The first point that American companies need to know is that GDPR applies to companies outside of the EU even those who have no European presence and don’t sell their product in the eurozone. This is a major challenge for US companies since many think (wrongly) that since they aren’t in Europe, they don’t have to worry about GDPR. At the same time, the EU is getting more aggressive with over $400 million in fines against US companies in 2019. 

    What triggers GDPR rules?

    One of the biggest GDPR compliance challenges is knowing when GDPR is triggered. Some American GDPR experts have said that it only applies when processing data of EU citizens, which is not exactly true. In short, there is a lot of misinformation out there because like any law there is some room for interpretation of the text. However, what is clear is that GDPR is triggered when data is collected in Europe. 

    Data collected from EU Data Subjects triggers GDPR

    The full reach of GDPR is still being debated four years after it came into effect. However, one thing that is perfectly clear is that GDPR applies to the data of EU data subjects. This means both EU citizens and EU residents and it's not restricted to where the data is collected or processed.

    This means if you, for example, have one EU citizen in your userbase GDPR applies to you even if your customer lives in the US. But it gets even more complicated. Firstly there is UK GDPR which is essentially a copy/paste of the EU law which applies to UK citizens no matter where they live. And, to make things even more complicated, there is an argument about what the term "data subjects" actually means given that there is no clear definition in the law. This means the definition will be established over time through court cases and fines.

    Where do these GDPR Compliance Challenges leave US Companies?

    American companies can’t know if their customers are EU data subjects because the definition is unclear. They can't even know if their customers are EU or UK citizens since that data is not normally shared in the onboarding process and it's even a challenge to get a simple number of Americans that hold EU passports.

    However, changes closer to come could mean that GDPR compliance is critical even if you're sure you have no EU citizens as users. New privacy rules like CCPA in California mean that a GDPR-like regime is coming to the US anyway. Given the size of GDPR fines ($24 Million), it makes sense for most US companies to come into compliance. 

    Turn Compliance into a Competitive Advantage  

    By coming into compliance, US companies can open a new market, because once you are compliant you can go to Europe and future-proof your business since new initiatives like CCPA are based on GDPR. 



    You may also like

    Leonardo Koshoni

    HIPAA Breach Notification Rule: What you Need to Know

    HIPAA breaches do occur, in all areas of healthcare. That's why the HIPAA breach noticiation rule advises...

    Leonardo KoshoniMarch 8, 2022
    Leonardo Koshoni

    HIPAA Risk Assessments for Digital Health Developers

    Risk assessments are an effective tool in any business. However, digital health companies handle personal...

    Leonardo KoshoniFebruary 27, 2022
    Leonardo Koshoni

    Common HIPAA Violations: What you Need to Know

    HIPAA presents challenges in the digital health space. Sometimes, organizations get it wrong, and they vi...

    Leonardo KoshoniFebruary 24, 2022


    facebook share
    facebook share
    facebook share
    facebook share
    facebook share