Faster Delivery = Happy Users
Automated Process = Fewer Errors
Standards = Cost Reduction
Order Visibility = Confidence
Linking Systems = Efficiency
I thought I would dedicate this blog to one topic that keeps coming up: “As a US business or government organization, does GDPR affect me?” However, even if you are not based in the United States, I encourage you to continue reading, as the same challenges, restrictions, enforcement and opportunities still apply around the world.
What people are really asking is whether the EU’s new teeth can be brought to bear outside of the EU, and in particular, what influence could it possibly have against an economical giant such as the US. Why should organizations listen, take notice or even be slightly worried? The answer for many small organizations that only trade within the US and have no interest in employing or dealing with any EU citizens data is going to be pretty simple. However, unless you can be absolutely sure that you will not hold, receive or pass through data by any means regarding an EU citizen, no matter where they actually live, then you may need to be a little more attentive.
So let’s try to answer the first question, can the European Union impose a fine or penalty on a US or otherwise external organization? The simple answer is yes, although the extent of the penalty and how it is enforced will be dependent on many factors, such as:
But yes, the simplest way for the EU to impose a fine or penalty on a non-EU-based company is to use local data protection regulations. Increasingly, GDPR is being seen as the standard model for other countries so you may find yourself subject to local rules based on GDPR compliance principals that impose even greater restrictions and penalties. In other countries, the primary route for ensuring compliance and enforcement will come from the Data Protection Authority. However, a DPA does not exist in the US. The closest equivalent that has jurisdiction over most commercial organizations is the Federal Trade Commission (FTC), as well as a state attorney’s office, which has similar authority over other areas.
The real question is how far does the US Department of Commerce want to go to avoid trade embargos and impediments? We have already seen that the US-EU Safe Harbour self-certification program “PrivacyTrust”, formally “eTrust”, fell short of required European Commission requirements and has been replaced by Privacy Shield. In the meantime, this forced cloud providers to establish data centers and data policies that favor the EU territories. There is also an underlying desire by governments to protect its citizens and organizations wanting to be taking a moral stand on how personal information is handled and used. On many occasions, we have heard that the European Commissions’ data protection and data privacy policies are leading the way for the rest of the world. We also need to note that many countries have stronger regulations within their own borders that need to be adhered to. So the practical upshot is that US companies will be under pressure to adhere to GDPR requirements if they wish to trade with or pass data through the EU, and this will be backed up by a desire to make sure any failures will be enforced by the US government in a desire to prove itself as a desirable platform for e-commerce.
It is important to remember that you will be competing both as a country and as a business against those that handle personal data to the high standards laid out by GDPR. Companies that have a strong moral compass and verifiable good data practices will do well as we move into this new era of ethical e-commerce where individuals have the ability to choose to be adequately protected.
This article was originally published here.