Does GDPR Apply to US Companies?

Does GDPR Apply to US Companies?

By Tracy Martin – Senior Information Security Consultant – Intrinium  

By now, most of us have heard about the new European Union Privacy Regulation – GDPR.  And we probably did an initial review to see if it would apply to our company and thought that because the company was based in the US, we would not have to worry about it.  However, the way the new privacy laws are written, there are a lot of ways that our businesses could be affected by the far-reaching GDPR.  Let’s look at some of them:

  1. Internet Sales. If your company offers goods and services in a European Union country, you must comply with GDPR regardless of where your company is based.  The offer of goods and services can occur over the web and doesn’t have to be a physical location.
  2. Gathering Personal Information. If your company monitors the behavior or gathers personal information of EU residents, yep, you guessed it, GDPR applies.  The personal data referred to by the law refers to any information that can be used to identify a person either directly or indirectly, including name, email address, photo, medical information, bank details, posts on social networking websites and computer IP address.

Some are less obvious, such as these examples:

  1. Vacations, Business Trips, etc. If a customer makes a purchase while on vacation in the US, but later completes a warranty card when they return home to Germany and sends the card in… this counts as collecting privacy information and the GDPR applies.
  2. Clients. Does your company support other companies that are based in the EU?  Do you manage their cloud services, manage their data center, help with marketing campaigns, etc.?  If so, GDPR may apply.
  3. EU-US Privacy Shield. Is your company already required to adhere to EU-US Privacy Shield Requirements? The GDPR has a much wider scope than the EU-US Privacy Shield, which only protects the flow of personal data in transatlantic data exchanges and exists as an agreement to allow this flow of information to take place. US companies within the scope of the EU-US Privacy Shield should assume they will have to comply with all of the GDPR’s requirements.
  4. Users with an EU IP address. As if determining who is covered under the GDPR isn’t already complicated, it also applies to data collected from anyone with an EU IP address.  This means that the physical location of the individual may not be the deciding factor!

How the GDPR applies to US companies collecting, using, or maintaining personal data can get complicated pretty quickly – particularly regarding those who collect personal data belonging to individuals located in and out of the EU.

What Does this Mean to Your Company?

How the GDPR applies to US companies collecting, using, or maintaining personal data can be complicated – particularly regarding those who collect data pertaining to individuals located both in and out of the EU.

The difficulty of addressing these questions, as well as several other complicated areas, makes GDPR compliance for US companies an area that requires action to be taken as soon as possible.  At Intrinium, we have been advising our clients to review their privacy policies and business needs to ensure that they are prepared to meet the requirements of the GDPR. 

Pin It on Pinterest

Share This