NovaBACKUP Security Blog

Does the GDPR Affect My US Company?

Yes. That’s the short answer. But let’s take a step back to explain.

Unless you’ve been living under a rock, you are probably already aware of Europe’s GDPR (General Data Protection Regulation), a legal framework to help secure user data and personalization information. As of May 2018 - it is now in effect and being enforced.

While GDPR has created major changes in the way that European businesses handle data, it also affects anyone in the world who is part of the global economy with an online presence.

GDRP Affects US Companies that have Websites Accessed by Europe.GDRP Affects US Companies that have Websites Accessed by Europe.

Does your company have a website that can be accessed by Europe? Are you emailing even one EU citizen? Then GDPR probably affects you. Why? Because if you are collecting personal data from anyone in the EU, then you are also subject to the GDPR, regardless of where your company is. No transaction or sale is required for the GDPR to affect how you are protecting personal data.

Now let’s be clear, for the GDPR to be enforced against a US company – marketing must be targeted at an EU country. But what qualifies as targeting? As it turns out, it might not take very much. If your websites accept EU currency, use European languages or domains it could very well be considered as targeted.

So how can you ensure you are following GDPR guidelines?

  • The first thing to consider above all else is consent. While gathering private data it must be absolutely clear to the party that you are doing so. Next you need to be able to access, and provide all gathered information on a person if that EU citizen were to request it. Businesses must be able to clearly explain how private data is being used, and that such purpose aligns with what the customer was told and could reasonably expect. Furthermore they have the right to “be forgotten” or have their data erased entirely from your systems, should they request it.
  • Have you defined a compliance officer within your company? This is something that should be done regardless, when you consider other regulations that handle personal data such as HIPAA and PCI.
  • And as expected, when there is loss or disclosure of data, additional layers of obligation kick-in. Data breaches must be reported within 72hours. If high-risk data is lost (think credit card numbers and passwords) the individuals themselves will need to be notified.

  • Store sensitive data using the most secure and flexible methods possible, and this will probably get you thinking about your backup strategy, solution and regular restore testing.

Meeting strict government regulations can be a challenge.  Speak with one of NovaBACKUP's data security experts today, and verify that you are taking all expected precautions.