Do I, as a US-Business Owner, Need to Worry About GDPR?

For a while now, people have been talking about ”GDPR”. But what does this security reform really mean for US-companies? The usual answer you hear is “Nothing right? – That’s just for European companies!” Wrong. Any company that has a web presence and market their services/products over the internet have got some work to do before May 25th.


On May 25th, 2018, EU (the European Union) General Data Protection Regulation (GDPR), will take effect after years of discussions. GDPR has been described as the most significant change to data privacy and security in modern years, the last 20 years to be exact. It’s a brand new legal framework for how organizations can use personal data – and it applies well beyond the borders of Europe as well. If you haven’t started to prepare for May 25th, it’s time to start. There are several things that need to be effective before the approaching the May deadline. Any organization that processes, hold or owns European data, or is based in the EU, needs to follow the regulation – or prepare for heavy penaltiesThe law imposes fines from 2-4% of the global annual revenue of the prior financial year – a heavy burden to carry for most companies.


The short story – GDPR was introduced to protect EU citizens and their personal data, including the data that has already been collected, stored, processed or destroyed. Personal data is the data that is relatable to an identified or identifiable natural person; meaning a person that can be identified through name, ID number, location data, or other factors specific to the physical, physiological, economic, cultural or social identity of that person. This even includes IP addresses, cookies, social media posts, online contacts and mobile device IDs.


It is all about the territorial scope! This means, if your US-company processes personal data of an individual living in the EU when the data is accessed – your company is subject to the new law. Article 3 in GDPR says that this applies even if no financial transaction occurs – Another example: if your company is offering a marketing service globally or offering shipping worldwide, you must follow the new law. Same goes if your company is monitoring the behavior of EU residents, tracking their online behavior. Clarification: the law only applies if the consumers are in the EU when the data is collected – for collection of data from EU residents outside of the EU, the law would not apply.


SACC-SFL Advice of the day! All US-bases companies, especially the ones with strong presence on the internet, should check if their activity falls within the scope of GDPR. Did we stress you? No worries – The new law is just plain good business practice and will enhance trust from customers, which can be a competitive advantage!

Three steps:
  1. Track your data! It might take time (read: a lot of time), but it gives you multiple benefits. Make sure you are aware of which data you possess, where you have it, for how long you’ve had it and why you have it. Have someone in your organization in charge for data protection and make sure that the person has the necessary expertise and the abilities to structure your organizations’ data.
  2. Take a look at your consent and disclosure documents for your customers. The customers should be able to agree to or decline what kind of data you save. Agreements is the key.
  3. Re-evaluate your service agreements. If a third-party is not able to prove that they are compliant with the new EU-law, they are working illegal – which will most likely give you a bad reputation.


Text by: Emelie Malmquist

References (click on the links to read more):

Costigan, M & Lazzarotti J. Lexology, 2o18. 


Faitelson, Y. Forbes, 2017.