The deadline for enforcing GDPR, or General Data Protection Regulation, is only a few months away, and businesses across the US are asking themselves what they need to do to prepare, if anything. What does the new regulation mean for the EU-US Privacy Shield agreement from last year? How does the newest agreement affect companies in the US? We’ll answer a few questions about GDPR and EU US Privacy Shield.
It’s a new framework for data protection that’s meant to unify the various data protection laws across Europe. The new agreement was approved in April 2016 and will be enforced starting May 25, 2018. US businesses that have offices in Europe or collect or use EU data for any reason will be affected.
If you have anything at all to do with the EU, yes. It’s better to be safe than sorry with the new penalties coming, which are pretty steep.
The EU-US Privacy Shield is a new agreement between the EU and US in response to the now-invalidated Safe Harbor agreement of 2000. Privacy Shield allows for the transfer of personal data from the EU to the US and focuses on the methods of data transfer, including third-party transfers.
The GDPR is a law that has specific requirements for companies that handle EU data in any country, not just the US. According to GDPR, data transfer may only occur to countries deemed by data protection authorities as having adequate data protection laws. Currently, the US is not generally listed as one of those countries.
This is where Privacy Shield comes in. This agreement helps create the adequate data protection laws needed for US companies to meet the GDPR requirement.
Not necessarily. There are several requirements of GDPR. Being compliant with Privacy Shield only ensures that you have the adequate data protection laws in place to do business with the EU. You may need to take additional steps, such as hiring a dedicated Data Protection Officer.
Essentially, the old data protection laws that were first enacted (way back in 1995) were no longer adequate enough to keep up with the explosive growth in data and the technology surrounding it. According to the GDPR website, the new agreement was designed to “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
If you’re found to be out of compliance, you could be fined up to 20 million Euros or 4 percent annual turnover (similar to revenue), whichever is higher. Not good. Fines will vary based on the nature and duration of the violation, as well as where it occurred. The law may be standardized across the EU, but enforcement likely will not be.