The European GDPR Effect on American Business

On May 25, 2018, the European Union’s broad new privacy laws went into effect. The General Data Protection Regulations (GDPR) are designed to protect the personal information of consumers, or data subjects. Companies based in the European Union must comply with the GDPR. However, this article is not for European companies, but for companies based in the United States.

Protecting PII with GDPR
Whether operating online or not, companies generally collect, store, and use their customer’s personal identifiable information (PII). For example, a retailer may save information like birthdates, mother’s maiden name, place of birth, addresses, and employment information. PII can generally be described as any information that can be used to contact or locate an individual.

Under the GDPR, PII is to be protected. In fact, companies must have the data subject’s permission to store:

• Web-based data,
• Health-related data,
• Biometric information,
• Racial and/or ethnic data,
• Political opinions, and
• Sexual orientation.

The GDPR is sometimes referred to as the “right to be forgotten.” Consumers in the EU can now tell a company not to save their PII. This amounts to the company “forgetting” the consumer’s data.

Companies are prohibited from saving, using, or selling PII without the permission of the data subject. In addition, a consumer who feels their information has been stored by a company may contact that company and demand they delete all of their personal data.

The GDPR and Minnesota Business
Many American businesses will remain unaffected by the new regulations. However, even though enacted in the EU, the GDPR applies to any organization that uses an EU resident’s personal information. Where that organization is physically located does not matter.

A Minnesota business that conducts business online potentially may be required to comply with the GDPR. Just selling products online may not be an issue, however. What may matter most is whether an American company targets potential clients in the EU with web content or advertisements in their native languages. The GDPR only applies to customers of U. S. companies who are in the EU when their personal data is collected.

Example: Although Minnetonka Gadgets is headquartered in Minnesota, they now have many online customers in Spain, Sweden, and Brazil. As they grow, they may consider opening small stores in these three countries, but their informational materials and website are in English only. At this time, the GDPR probably does not affect their Brazil business because Brazil is not part of the EU. However, Spain and Sweden are EU countries. If the company doesn’t target consumers in those countries, they may be safe. However, since the fines for non-compliance with the GDPR are high, it’s in their best interests to research the issue.

Will Your Company Be Affected by the GDPR?
It may be difficult to understand whether your business must follow the GDPR. It also may be very difficult for the EU to penalize American companies for breaches of the GDPR.

However, if your company falls under these new regulations, you may need to give your customers the option of opting out of PII storage. It’s also important to protect any data you are allowed to collect.