GDPR is a topic that has concerned EU-based companies since 2016. In became effective on the 25th of May 2018.
However, not just EU-based companies need to be concerned about the personal data processed by their organization. More and more US-based ones are also looking for a way to effectively solve the issues that stem from the EU and US contradicting policies.
Below we have listed different areas the US organizations need to be aware of in order to adapt their business to the changes.
Scope of GDPR
The General Data Protection Regulation protects the rights and freedoms of all data subjects that are residents of the European Union.
All EU-based companies should also obey with the Regulation and its requirements.
This means that, if you are doing business with a EU-based company and/or for some reason your organization has access to personal data of EU residents, you should make sure that you comply with the GDPR.
- Your organization exports goods to the EU and you have access to customer database
- You own a website and receive orders from around the world
- You own a shipping company and transfer goods from around the world
- You own a website where everyone is able to sign up and you collect personal data
In short, if there is a chance for your organisation to process personal data of EU residents, you need to be aware of GDPR.
How to safeguard your business from penalties
The EU-US Privacy Shield scheme became operational on the 1st of August 2016, when the European Commission issued its formal decision that the Privacy Shield provides adequate protection to allow personal data to be transferred overseas. In short, this is the official certificate that might protect you from GDPR penalties.
The certification costs may vary. For organizations with annual costs up to $5 million the fee is $250/$375 which is an acceptable annual fee. In addition, Privacy Shield may be reviewed as a proof that your organization is following the best practices related to Data Protection.
There is a list of all organizations certified by Privacy Shield available on their website, so all organisations certified will be able to increase their online reputation and prove their high quality standards only by being listed there.
Keeping unmodifiable digital evidences
As we already mentioned this in another article, unmodifiable audit logs are in many cases not just best practices, but also a necessity according to multiple standards and regulations. They help the organization prove that a certain event has happened at a certain time, ensuring that the data is tamper-evident and time-stamped. Such unmodifiable evidences are being used for forensics, security audits, and proof of GDPR compliance.
LogSentinel supports event logging using unmodifiable blockchain technology. If you are interested to see how it works, sign up here.
Complying with the Data Protection best practices
Do your best to comply with the best practices related to Data Protection. Not only because of the law and the penalties, but also because of your customers’ loyalty. Customers would feel safer when they are using your services if you make sure that their data is kept safely. The trust in your brand will increase and you will stand out from those of your competitors who do not demonstrate a high level of compliance.
Most of the US-based organizations are looking for a way to avoid GDPR compliance, not only because it does not directly concern them, but also because they believe it’s a useless and expensive effort. This means that the US companies who decide to comply with GDPR will have a strong competitive advantage.
Do’s and Don’ts
No matter what your organization decides to do – it’s good to follow some basic rules to protect your company from data breach, customer complaints and bad reputation.
We have separated some basic rules into two types: Do’s and Don’ts, to help you get a better idea from US perspective:
|Comply with the Privacy Shield||1||Suspend IP addresses from EU countries|
|Keep records of processing activities||2||Ignore requests related to personal data|
|Make sure the personal data you store cannot be accessed from unauthorised parties||3||Sell personal data without the consent of the data subject|
|Keep unmodibiable digital evidences of personal data-related events (subscribe/ unsubscribe consent, requests for deletion, etc)||4||Approach customers in relation to marketing activities without their explicit consent|
|Make sure your partners also comply with the Data Privacy’s best practices||5||Expose personal data publicly|