With the advent of the new European Data Protection Regulation, all companies globally are required to adhere to the law if they are storing or processing personal information of any European Union citizens. This means that US companies doing business with European countries in theory must adhere to the law. If they do not the potential penalties are €20M, or 4% of the previous year’s gross global turnover, whichever is the greater.
So why do I say in theory? Well, these are uncharted waters and we have yet to see what the national authorities and the European Data Protection Board can actually do outside of the European Union.
Let’s take a scenario where Acme Cola company finds out that it does not have opt in consent from the consumers on its database. Are they (like the pub chain JD Wetherspoon) going to delete that data, or is it too valuable to them to get rid of? Imagine that they don’t and complaints are made against them, what if they ignore those complaints, what can the ICO, or the EDPB do? They can give warnings, but if they try to issue fines, will the company take notice and how can those fines be recovered?
In theory it could be that the EDPB could place embargoes, on sales of Acme Cola’s products within Europe, but if Acme Cola has a strong voice in the Senate, or indeed in Washington would the US authorities play ball and encourage them to pay the fines, or would they be lobbied and fall on the side of Acme Cola to say no, we do not accept that US companies should have to adhere to someone else’s law? And, if you try to Embargo US companies then the same could be done in return to European Companies which profits no one.
In reality, nobody knows what will really happen. All we can say is that this illustrates the complexities, grey areas and potential pitfalls that come along with the new regulation. Our advice would be to always adhere to the regulation as much as possible, however we can see that there will be a potential impact to business, so wait with baited breath to see what unfolds after the 25th of May 2018 when the regulation comes into effect.
If you want to make completely sure that you’re covered, whatever happens, there are many solutions on the market that can help you meet GDPR. LepideAuditor, for example, comes pre-packed with reports that are catered towards the specific articles of GDPR.