GDPR, the European Union’s General Data Protection Regulation came into effect in the spring of 2018. The general idea behind the regulation was to protect consumer data from exploitation and to give them the power to take on corporations of any size that held any of their personal data. But how important is GDPR for US Companies?GDPR attempts to balance the power between the corporation and the individual. But it also placed a huge regulatory burden on any company that holds the data of any European Data Subject, ie: any human being who is located in the European Union. For US companies, this last point is critical. With 12 million Americans visiting the EU every year and the vast majority of Europeans using American software services, the EU GDPR essentially applies to every US corporation. As one law firm put it, GDPR for US Companies is “the most significant change to US data privacy security since HIPAA”.Since GDPR came into effect on May 25th, 2018, it has created new risks for companies who struggled to understand certain requirements and how exactly they were currently handling customer data. Prior to GDPR, there had been a data gold rush with companies trying to collect as much data as possible. However, post GDPR with the new added risks and the need to demonstrate legitimate need for customer data, companies have had to change their operations and, in some cases, even strategies and business models.
The short answer is yes, but let’s get into a little bit more detail of the risks GDPR for US Companies poses. Without getting into too much of the legal text of the GDPR legislation, GDPR seeks to protect the “personal data of subjects” from ‘processing’ of their data without their explicit consent.
Of course, as with any legal document, it’s critical to look at the definitions of terms to understand exactly what this means. So, let’s look at a few of those critical definitions and questions.
What does GDPR mean by “Personal Data”? GDPR offers a very broad definition of personal data as:
"any information relating to an identified or identifiable natural person… in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity"
This definition is so broad that even if you don’t have the name of the person in question, other circumstantial data could put a company in violation.
What does GDPR mean by “processing”? Again, GDPR offers the widest possible definition of processing:
"In the GDPR definitions, processing essentially refers to anything you can possibly do with someone’s personal information: collecting it, storing it, monetizing it, destroying it, etc."
Basically, if your company uses the data of even one person located in the EU in almost any way, GDPR considers that “processing” and you must comply with GDPR or face fines.
What about a US-based company that doesn’t do business in Europe? GDPR does not care if the company is US-based.GDPR applies to both companies inside and outside the EU who process the data of any person who is located in the European Union, called a “Data Subject”.
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union […]"
If your company handles, processes, files, and manages the data of one of the 12 million Americans who visit the European Union every year, while they are located in the EU, GDPR applies to your company.
So, using some of these legal definitions, let’s look at a few scenarios to see if a company faces a GDPR risk.
An American Health Tech company only does business in the US and collects data on its customers some of whom have moved to the EU. These customers may only have given the company their US Citizenship information and not explicitly stated that they had, in fact, moved to the EU.GDPR applies. This company must comply with GDPR or could face fines.
An American Health Tech company only does business in the US and doesn’t actually store names of customers. But it does store health data on specific patients which it structures and analyses for the patient’s medical provider. The company doesn’t know if any of these patients are currently located in the EU or not.GDPR applies. This company must comply with GDPR.
An American Health Tech company only does business in the US and all of its users (whose data it stores) but one of them is in the EU.GDPR applies. This company must comply with GDPR.In conclusion, unless a company can be 100% positive that all of the people whose data they process are not located in the European Union when the data is processed, even if they are just tourists, then they must comply with GDPR.
Fines from GDPR for US Companies could be an existential threat for small and medium sized businesses. Depending on the scale of the infraction, fines can go up to € 20 Million ($23 Million) or 4% of turnover from the previous fiscal year, whichever is greater.The next natural question is, what is the risk of non-compliance? According to the US International Trade Commission, in 2019 $417 Million in GDPR fines had been levied against US companies. While many of these companies did business in the EU as well as the US (like Marriot) some like Verizon (the case is still on-going) did no business at all in the EU. After a lenient period to allow the private sector to organize itself, regulators are becoming more aggressive by the month, with a particular focus on Health Tech.
GDPR for US companies is a real risk and one that is well known to investors and VCs. If your company is a startup that is hoping to raise money in the future, GDPR also raises another challenge for you. When VCs audit companies to understand any risks, their investments might face, they routinely look at industry specific rules such as HIPAA but they also look at GDPR risk. It makes sense from the VC’s perspective, because a GDPR fine could be an existential threat to a company.Some have argued that GDPR risk or exposure could actually drive down valuations. But in our experience, because GDPR risk is so widespread, forward-thinking VCs generally push companies to comply with GDPR even if the company doesn’t do business in Europe. This is particularly true after the start-up becomes successful and appears on the radar of regulators, financiers and competitors alike.
GDPR for US Companies is a real risk even if the company doesn’t do business in Europe. VCs and investors will push startups to come into compliance and by complying with GDPR the risk is removed.At the same time, if you come into compliance with GDPR that is the first step to opening a new market and you might actually be able to turn that compliance into a competitive advantage. Complying with GDPR requires both a technical knowledge and understanding of how software works with data, along with a knowledge of the GDPR rules. If you ask a law firm to audit you for GDPR compliance, they will charge you the going rate for a lawyer to tell you that you’re at risk, but they won’t tell you HOW to come into compliance technically. That’s where we can help. Because so many of our customers were facing this challenge, we’ve launched a GDPR Compliance Audit that looks at technical compliance with GDPR and delivers three insights:
State of Your Software
Risk Identification and Mitigation
Roadmap and necessary resources to deploy a IT SecOps & Compliance Action Plan