The General Data Protection Regulation: Why it is Likely that Your Company is not Immune to the Foreign Policy

It has been a little over a month since the European Union (the “EU”) implemented the General Data Protection Regulation (the “GDPR”) on May 25, 2018. In our previous article, we discussed the GDPR and highlighted the major points of the legislation, such as:

  • territorial scope of the regulations and requirements;
  • requirements for clear, concise, and specific consent forms describing the means of data collection and storage, as well as the intended use(s) for any collected data;
  • hiring a Data Protection Officer responsible for compliance under the newly effective GDPR requirements; and
  • severe penalties for compliance violations.

The GDPR applies to a vast range of companies. As such, having the requisite knowledge of how the GDPR operates is a wise choice for any company and, as time moves on, every company should have a definitive understanding of how the GDPR’s requirements might apply to it. While all companies should ensure compliance, participants of many specific must pursue compliance actively to avoid severe potential fines.

Banking and Financial
The GDPR is a regulation created to protect personal data of EU citizens. Banks and investor groups that engage in international business will be the most prone to severe fines for noncompliance. The personal data of EU citizens that such firms collect, store, and process (or distribute) to other entities is the precise personal data that the GDPR is designed to protect. However, not all banks and investor groups avail themselves of the foreign market. Even in such a circumstance, it would be recommended still to take steps to become compliant under the GDPR. In a global economy, U.S. citizens are not the only ones opening bank accounts or investing funds in America. As a brief example, even a local bank that collects, stores, and processes the personal information of an EU citizen who is in the U.S. for school or vacation before returning to Europe possibly could face fines if it is not compliant with the GDPR. As such, it is incumbent on nearly every financial and investment firm to explore the potential applicability of the GDPR and the precautions that it must take to ensure compliance.

Another industry that heavily revolves around collecting, storing, and processing the data of consumers is the insurance industry. Insurance companies collect copious amounts of personal data from their customers. International insurance companies are once again the obvious type of company that would be most affected in this group. However, with physical location no longer being an issue, these international companies that once stored data from EU citizens here in the U.S. and followed U.S. data regulations are no longer sufficiently compliant to avoid fines under the GDPR. In fact, it is possible for insurance companies that provide coverage to EU citizens here in the U.S. to be subjected to fines if they are not appropriately compliant. Notwithstanding whether it might be through rental car insurance, renter’s insurance, homeowner’s insurance, or some other form of coverage, collecting data from an EU citizen should be treated with the GDPR in mind.

The GDPR also specifically and significantly affects retailers dealing in fashion, automobiles, and nearly every other product. From international employees, locations, and marketing campaigns, the personal data collected, stored, and processed by such retailers is wide reaching. Fashion retailers, for instance, often create rewards accounts that allow them to track the purchasing habits of an individual, along with that individual’s age or sex. As almost all of us know and are all too familiar, automobile retailers collect volumes of personal information about an individual during the negotiation and sale process. The EU consists of 28 countries, with four of those countries ranking in the top 10 in the world concerning gross domestic product. Corporate retailers that market to such audiences, collect personal data through internet shopping, and/or cater to these EU citizens when they are here in the U.S. ultimately may be opening themselves up to the possibility of heavy fines under the GDPR.

Moving Forward
While the aforementioned industries all are heavily affected by the GDPR, the list does not stop there. It is our recommendation that every company, regardless of size, look into its business practices generally in addition specifically to pure data protection policies to focus on becoming compliant under the GDPR. In a global economy trying to catch up to the lightning speed of technological advancements, the GDPR is just the beginning in the initiative for increasing data protection on an international scale.

Our experienced attorneys at Dickie, McCamey & Chilcote, P.C. have approached and advised clients on GDPR compliance in various connections and industries. For advisement on becoming compliant, or if you need an evaluation of whether compliance is necessary for your company, contact us today.

The material on this site is for general informational purposes only and is not intended to be, and should not be construed to be, legal advice. There shall be no liability accepted as a result of any improper reliance on the material on this site. A qualified lawyer should always be consulted with regard to any specific legal issue or problem.