My first impression after hearing about the new European General Data Protection Regulation (GDPR) was that it wouldn’t apply to a US company. Better safe than sorry, I decided to take a few minutes to study it anyway. What I found was that it does establish privacy rights for European Union (EU) residents or visitors, but in some cases can also apply to companies outside of the EU. That applicability is based on the location of the Business Activity, not the home office of the company. This means if you have a branch, or are actively promoting business (i.e. web based) in the EU, GDPR applies to your company for all activity related to EU residents that transaction business in the EU. Conversely, if you do not have a branch, and are not actively promoting business in the EU, GDPR does not apply to your company, even if an EU resident seeks you out for business.
Practically speaking, assume you are a US based Bank with branches only in the US, and you do not actively pursue business in the EU. If an EU resident seeks you out online and opens an account, the GDPR rules do not apply to your organization. Also, if data is collected from an EU resident while they are visiting the US, GDPR doesn’t apply.
Looking at the requirements themselves the regulation, effective May 25th, seems similar to what we adhere to for GLBA or HIPAA, with a couple key exceptions:
- For receiving GDPR data, you must receive explicit consent from the consumer (similar to HIPAA, not included in GLBA)
- For children’s data, you must receive explicit consent from the parent or guardian (similar to HIPAA, although the age is 16 rather than 18, not included in GLBA)
- Consumers have a “right to be forgotten” if they stop doing business with you (i.e. you must delete all data, however this does not supersede legal requirements for data retention). Not directly in HIPAA or GLBA
- Data can only be shared with other parties that have a legitimate interest (similar to HIPAA, not directly covered in GLBA)
- Notification of breach must be completed within 72 hours (60 days in HIPAA, varies by state for GLBA)
- If you utilize a vendor in a way that the vendor will have access to GDPR information, that vendor must be GDPR compliant, and this needs to be added to your due diligence, monitoring activities, and contracts
- 3rd and 4th parties need to be included in the due diligence, monitoring, and contract review process
What if you are found in violation of the regulation? GDPA is enforced by the Data Protection Authority (DPA), which is a separate entity in each country. It is expected that some countries will be stricter than others. That said, the level of jurisdiction the EU has in the US to levy fines is not clear, however,, the reputation impact may be significant regardless of whether a fine is enforced. In order to be sure you are complying with GDPR standards, it is best to work these changes into your Information Security Program and your Vendor Management Programs if you have any dealings in the EU.