We at Crowned know the importance of understanding data privacy laws like the EU’s GDPR and California’s CCPA. In the shadow of the COVID-19 pandemic, data privacy is as hot a topic as ever. Despite all the media attention to GDPR, we thought it would be helpful to drill down into GDPR in the USA, especially since most small businesses aren’t confident that they comply with GDPR rules.
With more people than ever working from home, keeping data safe and in compliance with data privacy law is more important than ever. The European Union’s GDPR (General Data Protection Regulation), California’s CCPA (California Consumer Privacy Act), and Brazil’s LGPD are just the tip of the iceberg in the era of data protection. It’s important for anyone with an online presence to have a general grasp of these rules.
Why should I care about GDPR in the USA?
Being ahead of the curve is key here. GDPR is the headliner of the data privacy show, but we also have to be aware of the laws that have been inspired by GDPR. With the roll-out of California’s CCPA and Brazil’s LGPD this year, data privacy laws are just getting started. In the US alone, several states, including Nevada, New York, Texas, and Washington, are considering following California’s lead and passing their own data protection law. Canada and Australia have data protection laws in the works, too. So why not become GDPR compliant now to save yourself the headache in the inevitability of the deluge of GDPR-type law to-be?
If you have customers in the EU, you should care about GDPR!
GDPR impacts EU/EEA residents (data subjects) and any organization that processes personal data (data processor) of EU/EAA residents. GDPR is location-based, so it is dependent on where the data subject is located when their data is processed. Citizenship is not a factor; location is key here.
The size of your business (aka the data processor), the number of employees, or the amount of revenue you make doesn’t matter to GDPR rules. If your business does at least one of the following, GDPR applies to you:
- Your business offers goods or services (even with no commercial transactions) to EU/EEA residents.
- Your company monitors or tracks the online behavior of users inside the EU/EEA.
GDPR & COVID-19
The ICO, who regulates GDPR in the UK (where your writer dwells), has published guidelines for businesses operating in the UK which discusses the challenges faced with compliance during the pandemic.
Organizations face many data privacy challenges and with an uptick in working from home, a major rise in phishing attacks and scammer activity, and staff shortages that might make complying with data access requests difficult within the law’s rules. The UK is feeling the brunt of these challenges right now.
The ICO has stated:
“We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
GDPR will continue to evolve over time. The European Union will keep this site updated with news of the future of GDPR.
GDPR Bottom Line for US Companies
The long and short of it is that if you have any data subjects you serve or track (customers, readers, users, etc.) based in the EU, you must comply with GDPR. Here’s a great resource for help if you’re feeling a little astray on this front.
These laws will continue to develop as regulators interpret how companies respond to complying with privacy legislation. Likely, we will see regulators expand the rules to wrangle companies who do their best to find loopholes. Google and Facebook are already doing just that.
We here at Crowned believe that working toward compliance for GDPR is wise and worth it. Like so much right now, it’s hard to forecast. One thing is for sure, though– data privacy isn’t going away, and it’s best to work toward GDPR compliance ASAP.
In our next blog, we’ll dive into a few of the details about what GDPR is and how you can work toward compliance.