The General Data Protection Regulation (GDPR) — Europe’s most comprehensive data privacy law to date — turned the digital world on its head when it became enforceable on May 25, 2018.
Despite being based on EU law, the scope of this groundbreaking data protection and privacy regulation extends far beyond the EU’s physical borders, as well as the European Economic Area (EEA) and Switzerland (hereafter referred to as EEA for brevity).
This includes the United States (US), the EU’s most important trading partner.
The GDPR’s broad scope naturally raises a few concerns: Does the GDPR apply to corporations in the United States?
Is it applicable to citizens of the United States? How is the GDPR implemented in the United States? What distinguishes it from other internet privacy legislation in the United States?
- Does GDPR Apply to the US?
Yes, the GDPR is applicable to the United States (and all other countries worldwide).
Because Article 3 of the GDPR, which specifies the law’s geographical reach, stipulates that it applies not only to firms in the EU/EEA, but also to companies outside the EU/EEA that provide services (or monitor the data of) to EU/EEA residents.
If at least one of the following two conditions is met, the GDPR applies to all US enterprises, regardless of revenue or employee size:
- The company offers good or services (even in the absence of commercial transactions) to EU/EEA residents.
- The company monitors the behavior of users inside the EU/EEA.
The GDPR is a European Union data privacy law that compels businesses to keep personal information secure while simultaneously providing individuals more choice over how their information is used.
Noncompliance with the law can result in substantial fines of up to 4% of global revenue or €20 million, depending on the severity and circumstances of the infraction.
GDPR compliance checklist for US companies
- Conduct an information audit for EU personal data
- Inform your customers why you’re processing their data
- Assess your data processing activities and improve protection
- Make sure you have a data processing agreement with your vendors
- Appoint a data protection officer (if necessary)