What Is the GDPR and Why Does It Matter to US Businesses?

Policymakers in the United States and in the European Union have both taken legislative and enforcement actions to ensure data privacy and protection to citizens. The EU has gone further than the US by implementing the General Data Protection Regulation (GDPR) in 2018 as the legal framework for data protection and privacy for every member state. This is the first legislation worldwide aimed at international control over how businesses handle consumer data.

European consumers welcome this legislation given concerns about the safety of personal information they provide online and a general distrust of online businesses.

What Is the GDPR?

According to the Congressional Research Service, “The GDPR establishes a set of rules for the protection of personal data throughout the EU. It seeks to strengthen individual fundamental rights and facilitate business by ensuring more consistent implementation of data protection rules EU-wide.” This complex piece of legislation has several goals:

  1. Identify legitimate bases for data processing and create common rules for data retention, storage limitation and record keeping
  2. Further develop the EU’s Digital Single Market (DSM) to create a standard on digital policies for all member states
  3. Bolster the EU’s technology sector relative to Chinese and U.S. competitors

The GDPR protects seven types of privacy data:

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Why This Legislation Matters in the US

Multinational companies that are based in the U.S. and do business with and in the EU must comply with the rules in the GDPR if they meet the following criteria:

  • Have a presence in an EU country
  • Have no presence in the EU, but process personal data of European residents
  • Employ more than 250 people
  • Employ fewer than 250 people, but their data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92% of U.S. companies consider GDPR a top data protection priority.

The GDPR places liability on data controllers (the organizations that own the data) and data processors (outside organizations that help manage that data). If your organization uses a third-party processor that is not in compliance, it means your organization is not in compliance. Companies that meet the criteria are responsible for ensuring compliance by hiring a data controller, data processor and a data protection officer (DPO).

The legislation challenges American businesses to apply stricter measures of data privacy and protection in their processes. When the GDPR was instituted in 2018, one in three adults planned to exercise their rights to remove personal data from online retailers’ databases and to request the cessation of data use for marketing purposes. As consumers become more educated about the implications of data exposure, this percentage is likely to rise.

To be compliant, companies need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number. As another example, businesses cannot assume consent and give consumers a way to opt out in online forms. They will have to enable explicit consent for data collection. They also need to provide transparent responses to submitted forms with sensitive data, along with copies of the data collected in electronic format. These are just a few of the many required steps, and many companies are struggling to comply, in part due to some of the more vague language in the legislation. Smaller companies are also finding this more difficult because they cannot afford consultants and lawyers to ensure compliance.

Measures to ensure compliance include fines of up to 4% of a business’s annual global turnover or 20 million euros, whichever is greater. Companies not in compliance may be liable to consumers for compensation claims for damages suffered. Additional fallout includes reputational damage and loss of consumer trust as cases are publicized.

To make it simpler to standardize data privacy and protection with the EU, and to provide Americans with similar protections, U.S. policymakers are assessing the need for comprehensive national legislation. Currently, the U.S. has only by-sector and by-state legislation. Similar federal legislation would help to put the U.S. on equal footing with the EU and make it easier for American companies to be compliant with both sets of standards. Consumer and industry advocacy groups are calling for similar approaches, but Privacy for America, a lobbying organization, represents the business interests of a conglomerate of industry bodies in data privacy. Their objectives may not always overlap with those of Congress and the advocacy groups.

The EU does not shy away from imposing steep fines for regulatory non-compliance. U.S. companies are taking it seriously, and EU citizens are benefiting. It is highly likely that the U.S. will institute similar legislation to protect its own interests and citizens as matters of data privacy and security continue to intensify.

Learn more about USI’s online MBA program.


Congressional Research Service: EU Data Protection Rules and U.S. Implications

CSO: General Data Protection Regulation (GDPR): What You Need to Know to Stay Compliant

GreenBook: GDPR: A Guide for International Business

Have a question or concern about this article? Please contact us.

Our Commitment to Content Publishing Accuracy

Articles that appear on this website are for information purposes only. The nature of the information in all of the articles is intended to provide accurate and authoritative information in regard to the subject matter covered.

The information contained within this site has been sourced and presented with reasonable care. If there are errors, please contact us by completing the form below.

Timeliness: Note that most articles published on this website remain on the website indefinitely. Only those articles that have been published within the most recent months may be considered timely. We do not remove articles regardless of the date of publication, as many, but not all, of our earlier articles may still have important relevance to some of our visitors. Use appropriate caution in acting on the information of any article.

Report inaccurate article content:

Need more information?

Submit the form below, and a representative will contact you to answer your questions.

Or call 844-515-9104

Ready to Go?

Start your application today!

Call 844-515-9104 844-515-9104
for help with any questions you may have.