The GDPR, Small Business, and a New International Paradigm

It’s not a coincidence—all those emails about changes in terms of service (ToS) agreements that you got in May were sent out because of something. That something is the General Data Protection Regulation (GDPR), legislation recently passed by the European Union (EU) to shore up data security, which took effect May 25, 2018.

EU legislation? Well how does that affect business in the United States? Especially small businesses? Should they care about this new European legislation, or leave all of those regulations overseas?

What Is the GDPR?

The GDPR was created to protect citizens inside of the EU and their data. It’s no small document, containing 11 chapters and 91 articles overall. Spade Design offers these highlights to help explain what GDPR is:

• Articles 17 and 18: individuals will now receive more control over automatically processed personal information, with the “right to portability” creating requirements for simplified data transfer and guaranteeing the right to erase data.
• Articles 23 and 30: these require organizations to use reasonable measures to guard consumer privacy and prevent exposure or data loss.
• Articles 31 and 32: these articles regulate how companies handle data breaches, sitting time frames during which organizations must notify authorities and how the affected subjects should be contacted.
• Article 35: requires companies that process data containing genetic, health, racial, ethnic or religious information to choose a data protection officer to act as a liaison between the company and the EU’s Supervising Authorities.
• Article 45: this article compels international companies that gather data from EU citizens to be subject to the same requirements and pay the same fines as companies located inside the EU.
• Article 79: non-compliance can cost up to four percent of an organization’s overall revenue.

To summarize, the GDPR was established to make sure that EU citizens are able to “opt-out” of data collection and storage, and to ensure that if that data is personal, especially personal lifetime data, that there are data protection officers and authorities to prevent that data from falling into the wrong hands. These laws also provide guidance on how to prevent, prepare against, and handle data breaches.

Globalization & International Compliance

The experts at Norwich University Online write that “the steady increase in globalization – businesses embracing international integration and influence into its operations – has brought with it many changes to society, which have heightened concern for international security.”

The GDPR is absolutely a response to these changes brought on by globalization, and an indicator that businesses of all sizes, no matter where they are located, are going to have to begin complying with international measures if they wish to exist in cyberspace. This is a new paradigm, but as we grow more connected, generate and use more data, and transcend the physical world with a more digitally-driven existence, these types of international regulations will likely become less few and far between.

The question remains, however: Just how, exactly, does an EU regulator enforce fines on a U.S. company (or any other company abroad, for that matter) when they don’t have any physical presence in the EU proper? Linda V. Priebe, a current partner at Culhane Meadows and the former deputy legal counsel a the Office of Drug Policy at the White House under Presidents Bill Clinton, George W. Bush, and Barack Obama, spoke with Aaron W. of Spiceworks on the matter:

“There has […] been long term and increasing enforcement cooperation between U.S. and EU data protection authorities,” Priebe says, pointing to the negotiations over the EU-U.S. Privacy Shield data sharing agreement, which puts systems in place for the EU to issue complaints and fines against U.S. companies.

She continues: “While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years.”

To sum it up, it will likely take the help of U.S.-based authorities to actually enforce these laws. Priebe, however, doesn’t seem to think that will be an issue.

A New Paradigm Born of Global Connectivity

It’s not that far-fetched to believe that Priebe is right. The future of security and privacy relies on regulatory enforcement in the face of globalization and digitalization, and world leaders understand this. Even with the Trump administration’s abrasive attitude toward the EU and other allies, the shared security of a connected world is something that first world countries can not ignore.

Small businesses would do well to adjust to this new paradigm, even if they don’t intend to do business with EU customers. It’s likely that a blanket set of standards will appear in the future with harsh repercussion against those who chose not to follow these standards. Adopting them now, rather than later, will result in reduced risk and better preparation for the future.