(And Why U.S. Companies Should Take Note)
The General Data Protection Regulation (GDPR), Europe’s sweeping data protection law, has been in effect for six months, and while fines have yet to be levied against U.S. companies for breach of the law, enforcement is beginning to take hold. Anne Shannon Baxter of Access Partnership discusses what organizations with cross-border operations should know.
The General Data Protection Regulation (GDPR) has been in effect for six months, and U.S. companies are still struggling to understand its ramifications. As readers of this publication are aware, the European Union law applies to any foreign companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. This means that businesses in the U.S. that offer goods and services, monitor the behavior of individuals or have an establishment within the EU are liable.
There have not been any fines levied against U.S. companies for breach of the law at the time of writing, but this won’t be the case for long and, with fines of up to €20 million or 4 percent of annual global turnover (whichever is the higher), the risk can’t be brushed off.
Adding to the difficulty, enforcement of the GDPR so far has focused on big technology companies, making it…