March 23, 2018
  |   Blog, Digital Marketing

The EU’s General Data Protection Regulation (GDPR) and Why It Matters to U.S. Companies

The European Union directive declares data privacy to be a fundamental human right that American companies ignore at their peril.
When you first hear about the GDPR, you might think that it’s an EU thing and it doesn’t apply to American companies with no services in Europe. But that’s not the case.
The GDPR boils down to the fact that if any EU citizen accesses your site and leaves a data trail, it affects you.  No matter where your home office is, or where you store or process the data, it counts. This could be a game changer for companies across the globe.
Gone are the days where adding a cookie consent banner is a catch-all strategy to ensure compliance. After four years of debate, the EU has finally approved the General Data Protection Regulation (GDPR) which is effective May 25, 2018.
Even if your site has no traffic coming from the EU at all – your analytics providers, marketing partners, hosting services, and other parts of your web infrastructure will be impacted, and therefore so will you.
We recently received an email from both GOOGLE and SLACK notifying their users how they will be updating their policies and procedures to comply with GDPR. As users of both, we need to understand what changes they are making. We expect to receive more of these emails over the coming weeks.

We want to stress that GDPR is a complicated set of legislation that the EU will put into effect and enforced on May 25, 2018. We are providing a brief summary, our interpretation, of some of the most critical aspects that we believe will impact US companies. This article should not be construed as legal advice and as with any legal situation, you should consult with your legal counsel.  We encourage you to do your own due diligence and perhaps read the GDPR Directive itself.

A Closer Look at the GDPR

Take a minute and read, then reread, this statement about the GDPR Directive:
GDPR declares that Data Privacy is a fundamental human right that is the responsibility of all governments to recognize and protect.
The European Union rejects the concept that data collection is just a function of marketing, technology or IT. Data privacy will be held on the same human rights plane as the right to live, right to education, freedom of expression, and freedom of religion. (Preamble, Sec 4).
With penalties starting at 4% of annual global revenue or $28 Million/€20 Million (whichever is greater) it’s worth taking seriously.
As with any change to legislation, there are some common misconceptions already surfacing around the GDPR Directive. We address these below:

5 Common Myths around GDPR

    1. GDPR only applies to companies with a physical presence in Europe.
      • No.  GDPR is designed to protect the people who live in Europe, but it does not exclude companies with a physical presence outside of the EU.  
    1. GDPR affects only data in Europe
      • No, any rules from GDPR must flow with the data. The rules are attached to the data not the location of storage or processing.
    1. Marketers will need to get all new consents from all of their users
      • Not necessarily.  If brands have already gathered consent in a GDPR compliant way, that is sufficient.
    1. Right to be forgotten is absolute
      • No. Companies may have legit business reasons to keep data (for instance, legal or tax records).
  1. Just obtaining consent is acceptable
    • No, obtaining consent from a user in order to allow them to use your site (ie purchase something, download media or view content) may not be considered consent, even if they click a consent button.

As global organizations brace for all of the changes that they may need to implement in order to be compliant with GDPR, Adobe is helping out brands get there by ensuring that Adobe products help with this journey.  In our next post, we will discuss how Adobe is addressing these new regulations to help its customers comply.  You can read more from Adobe here.
In the meantime, we encourage all organizations to become familiar with this statute and take steps toward compliance. How this will play out in terms of enforcement in US courts is yet to be determined; however, even if US courts will not enforce this regulation (it remains to be seen how a case against would play out), companies need to be mindful of the very real impact that the GDPR legislation and impending action might have on future plans, incidental business dealings, and the travel of company officers.
The GDPR Directive can be found here.  

Divya Kandikatti
Divya is the Director of PMO/BSA here at Blue Acorn iCi. She works with clients throughout their digital transformation journey, working closely to align business goals and strategic vision, ensuring projects are delivered with the highest ROI. She has over 10 years of experience managing and delivering complex projects for enterprise clients within Finance, Publishing & Media, Banking, Hospitality. Divya is trusted by clients like ALSAC/St. Jude Children's Research Hospital,  AICPA, Domtar, Ingersoll Rand, Panera Bread, and Capital One. She is very competitive and learns on the fly. On any given day, you will find her either doing kick-boxing or enjoying acrylic painting or trying her hand at Standup comedy.
View All Posts By This Author

Subscribe to Our Newsletter

Get the latest insights from Blue Acorn iCi

Let's build something together.