The General Data Protection Regulation, more commonly known as the GDPR, replaced an inconsistent country by country approach to how companies were required to handle the personal data of European Union (EU) residents. The EU Parliament approved the GDPR last month and all companies, including US companies, must be compliant by May 25, 2018 or face heavy fines that can be up to 20 million euros or 4% of a company’s prior year world-wide revenue, whichever is higher. This is not a typo. Now that I have your attention, let’s break the GDPR down to 2 important questions.
Does my US business offer goods or services to EU residents? If the answer is yes, you are subject to the GDPR.
First, what is a EU resident? A EU resident is any individual that resides in any of the 28 member states that form the EU. This applies to anyone who resides in the EU. Citizenship is NOT required. Second, there is no requirement that the company offering the goods or services be located in the EU. All that is required is that the individual resides in the EU. The GDPR focuses on the EU resident, known as the “data subject” and not the “data controller”. Consider the following, does your company have a website? If your website collects data from a EU resident you fall under the purview of the GDPR regardless whether you have a physical business location in the EU or any business transaction was consummated between your business and the EU resident. The mere surfing of a Pennsylvania business’s website by a EU resident makes your business subject to the GDPR.