Despite the General Data Protection Regulation (GDPR) being a European Union regulation on data protection, increasing numbers of major US companies are also starting to follow the GDPRs more stringent privacy standards. When the Cambridge Analytica scandal dominated international headlines, it was clear that data protection would no longer be considered an abstract legal theorem. This article examines why GDPR compliance US-side is catching on and how the future of data protection standards is likely to develop.
GDPR vs US compliance laws
The difference between the EU approach to privacy and the US approach is largely rooted in completely different philosophies. Generally, the EU members view privacy as a fundamental human right where individuals own their own data. By contrast, the US does not view privacy as such a right, and companies take the view that they have the proprietary interest in the personal data that they collect. Because of this, the US has chosen not to create any overarching privacy regulations, preferring instead to create privacy laws when a need arises and using a sectoral approach, e.g health, financial, marketing etc.
However, despite these fundamentally different approached to data rights, a GDPR compliant USA is starting to emerge in response to the EU measures. Read on to find out why.
Download our free GDPR guide and learn what the regulations mean for companies inside and outside of the EU:
Who does GDPR apply to?
In short, if your company collects the data of EU citizens, the GDPR applies to you. Since the GDPR came into effect in May 2018, all companies worldwide with customers or employees who are citizens of the EU or based in EU countries are required to comply with the GDPR. Likewise, if a non-EU based company has customers, employees or contractors who are EU citizens or based in an EU country, they too must comply with these EU data privacy regulations.
A key practical concern is now arising around how to manage the transfer of personal data across borders. The GDPR states that any company sending personal data must ensure that the country receiving the data has equal or superior data protection laws in place. The US does not meet this criteria. And the consequences of unlawful data transfer are severe: the GDPR supervisory authority have the power to impose GDPR penalties ranging up to 4% of total worldwide annual turnover (See Article 83).
How GDPR affects USA today
Looking at the GDPR US impact today, the attitude towards personal data privacy is changing rapidly, no doubt accelerated by the threat of a severe penalty for unlawful data transfer. Forbes magazine estimates that two months after the GDPR came into effect, approximately 20% of companies were in a position of strong compliance.
Two of the main factors as to why GDPR in the USA is being taken so seriously include:
1. A globalized marketplace
The nature of the global marketplace means a great many of the major US companies have customers, employees or contractors who are EU citizens or based in EU countries. This means that they are required to comply with GDPR. And with the risk of harsh financial penalties, it’s forcing companies to look at risk tolerance thresholds.
2. Third-party risk: protecting your brand
To become a business partner with a GDPR compliant company usually means the potential partner must also become GDPR compliant to ensure no contamination from any non-compliant data. Forrester’s report on third-party risk management of GDPR protected data highlighted the case of Cambridge Analytica who inappropriately retained the customer data of fifty million Facebook users, causing a 6.77% drop in stock price and ultimately serious damage to the Facebook brand.
S&R pros tell us they're concerned about their third parties being able to comply with the GDPR. One CISO from a media company reported that they terminated a number of existing relationships because those partners had inadequate data privacy standards.
The future of data protection standards
With GDPR being accepted as the “new normal,” the future looks good for the protection of individuals’ personal data. The high price of brand damage and the looming possibility of fines from the GDPR supervisory authority are often under discussion in the media. As a result, companies worldwide continue to react to the new rules with over 50% actively making moves towards compliance, according to a recent article by Forbes.
How does Templafy work with the GDPR?
Templafy is fully compliant with the GDPR as a data processor and in terms of any GDPR personal data handling. We run all of our own infrastructure on Microsoft Azure and Microsoft Office 365, thus benefiting from the GDPR compliance of Microsoft’s services. For a fully detailed overview of how Templafy complies with the GDPR, you are welcome to read our article on data protection.
For more information on how Microsoft is a cornerstone of Templafy’s strategy to ensure full GDPR compliance, please read here.
Templafy understands the practicalities involved in safeguarding branding and ensuring compliance as a very practical aspect of an enterprises’ day-to-day operations. We can help companies notify customers of how they are following GDPR regulations by automatically inserting your most up-to-date legal disclaimers into documents and emails. Helping you ensure compliance is at the heart of what Templafy’s software can do for companies.