The EU General Data Protection Regulation (GDPR) goes into effect the 25th and represents a major shift in data privacy management. This policy aims to better protect EU citizens from data breaches and has extended jurisdiction into the U.S. This means that US-based companies that have EU clientele and/or marketing to the union must adhere to its terms and conditions. The GDPR’s official website states the policy; “will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required).
US-based WordPress Hosting Provider, Pagely, has been outspoken on their company’s ethical integrity regarding the GDPR and have developed a guide for WordPress sites. Director of Security and Privacy, Robert Rowley, told Scope Weekly in an exclusive interview that, “As of this week, our team at Pagely can officially say we can successfully adhere to the GDPR. We have prepared ourselves well to the point that I can say we’re walking the walk better than an average US web host.” This is a smart move for Pagely considering that violations of these protocols could result in hefty fines. Moreover, doing the opposite displaces consumer trust in corporations that should be serving the best interest of their client’s private data.
CTO of Pagely, Josh Eichorn, told Scope Weekly that,
Outlining unambiguous consent for use of private data will help to hold corporations like Facebook accountable, putting rights to privacy back in the hands of the people.
Eichorn told Scope Weekly that despite hesitance among his colleagues, the GDPR is merely assuring EU citizens legal rights over their personal data. This shouldn’t become problematic if US-based companies cross their T’s and dot their I’s. Regardless of a firm’s relation with the UK or EU, one must remember that company vendors, clients and investors may in some way shape or form be affiliated requiring a considerable audit of one’s data processing model. When asked if they foresaw similar changes coming to the U.S, Rowley told Scope Weekly:
In the wake of the Cambridge Analytica, Experian and today’s LocationSmart and Securus leaks, it seems like it’s a matter of time before a GDPR-like law will be drafted in the USA.
This policy symbolizes the first alteration towards data protection for the EU in over 20 years. Never has there been such an expansive regional scope designed to make US companies responsible for foreign data on their servers. Violators can be fined up to 4% of annual global turnover or $23,494,300; whichever is more. Additionally, consent from affiliated parties for US companies to process this data must be clear and “given in an intelligible and easily accessible form.” Breach notifications, right to access, along with rights for the EU to request that US firms cease to process their information followed by ‘data erasure’ are the revised terms given to data subjects.
Aside from the key changes listed above, American organizations will now have to appoint data protection officers stationed in the EU. Hospitality, travel, software and e-commerce companies will most certainly have to optimize their marketing and data processing strategies. However, any company in the U.S. with a European market base should thoroughly assess their online operations.
Truth be told, the GDPR is well overdue as times have changed dramatically since the mid-90’s. We live in a period where there is simply too much information and not enough resources to adequately monitor its activity. Hopefully, the U.S. is receptive so they can avoid large penalties, scrutiny or even unpredictable consequences. We’ll see how long it takes for U.S. legislators to follow suit and make some serious adjustments to data privacy management.