Digital Assets Report


Like this article?

Sign up to our free newsletter

The EU’s GDPR – What does it mean for US-based firms?

Related Topics


By Olivia Munro – As the deadline to the GDPR steadily approaches, it is important to start preparing for the regulation if you haven’t already.  In case you aren’t aware, the EU took a major step to protect their citizens’ personal data and privacy rights by instating the EU Greater Data Protection Regulation (GDPR), which is scheduled to go into effect on 25 May, 2018.  However, just because the GDPR is an EU regulation, it doesn’t mean that US based firms are exempt. 

Any firm, even those based in the US, that monitors the behavior of EU citizens must comply. This means that even if your firm doesn’t do business in the EU, but has a website or a form that collects data on EU citizens, you still need to comply. Failing to adhere to the GDPR will lead to fines of up to 2 million euros or 4 per cent of global annual turnover, whichever is greater.

Key Challenges US Firms May Face:

  • Consent is more challenging to obtain than previously before. Now under the GDPR, consent mechanisms such as email opt-ins must provide data subjects a very clear explanation of what they are consenting to, and consent must be voluntary and of an opt-in nature.
  • Responsibility has shifted. In the past, your firm was not held responsible for enforcing vendors’ and third-party partners’ use of data and privacy protection.
  • Definitions of key terms have changed. GDPR has broader definitions of “personal data” and a “personal data breach” than most.

Additionally, because your firm is now responsible for how vendors and third parties store your data, your firm must ensure that your cloud provider has adequate protections in place. Firms should revisit existing cloud agreements and ensure they meet EU data privacy standards. This can be a time-consuming process, so you will want to begin the negotiation process if you have not already. Additionally, firms need to update their privacy clause on their website to reflect any changes made, and include all the ways you may potentially use their data now and in the future.

Steps your firm should take:

  • Have a Written Information Security Policy (WISP) in place.  A WISP can protect your organization and provides a safeguard against data theft and legal damages.
  • Use data auditing solution to audit your data access and permissions. Permissions are often too broad, and making them more rigid can reduce your chances of a data breach.
  • Consider using a data classification engine to detect personal data and sensitive data on your network. Pay attention to how this data is stored, used, and shared.

Additionally, following the EU-US Privacy Shield can help firms navigate the regulation.  The Privacy Shield is a program where participating U.S. companies are deemed to have adequate protection, and can therefore facilitate the transfer of EU data. For more information on how the EU-US Privacy Shield will fit the GDPR, stay tuned. We will be posting a blog about it on Thursday,11  January.

Although it can be overwhelming to make sure your firm is compliant, there are resources available to make your job easier. For more information. checklists, and guidelines on the GDPR and how it affects U.S. based firms, read our whitepaper, “The Deadline is Coming: What US-Based Firms Need to Know about the GDPR“. Additionally, using a third party or vendor as a resource can be extremely helpful and provide expertise where your firm may be lacking. 

Most importantly, your firm must be ready for the GDPR by 25 May, 2018, otherwise you may be subject to massive fines. That may seem like a long time away, but some of the preparations can be time consuming and your firm needs to be thorough. To ensure that your firm is compliant or for additional guidance, contact Eze Castle Integration for an evaluation.

Like this article? Sign up to our free newsletter

Most Popular

Further Reading