What impact could GDPR have on US companies?

Even though the GDPR is of EU origin, it applies to any business or organization offering services or goods to any EU resident. As the EU market is the largest in the world and almost every global enterprise is doing business in the EU, this can mean that the EU-GDPR becomes the de facto standard worldwide. Fortune 500 businesses and others, beware. Noncompliance with the regulation can carry penalties as high as 4 percent of annual global revenues.

The increasing expansion of cloud, SaaS and mobile computing practices in enterprises will make US companies more vulnerable to the EU GDPR, as they are often act in both roles as data processors and data controllers. This could be a competitive disadvantage for the US, or an advantage for EU companies that offer either cloud services themselves or use cloud services from EU companies. An Ovum survey conducted in Q3 2015 finds that 85% of US companies believe that it will be harder to compete against European companies, which could mean the number of US companies operating in the EU will decrease.

The Snowden effect and the recent deregulation efforts of the US government could lead to a further loss of confidence in US companies offering goods and services in Europe. It is expected that US firms will incur more effort and expense to comply with and demonstrate compliance with EU-GDPR regulations.

Due to their global trade relationships and dependencies, US companies are increasingly required to expand their privacy efforts and make them more flexible. They face a patchwork of contradictory and conflicting global privacy regulations, and need technology options to address all eventualities. This also applies to US companies that are already doing business in the EU and who have historically relied on the data protection laws of a particular EU country. Such loopholes will be filled with the enforcement of the EU-GDPR in May 2018.

US companies that operate in the EU market and which gather personally identifiable information (PII) are subject to EU-GDPR regulations in all of the EU countries in which they do business. Organizations are not protected from responsibility because they more and more rely on a third-party cloud provider to manage data - which is often also an US company. The first step is to recognize this responsibility and create a strategy to react.

What other impact could GDPR have on US companies? Please leave a comment.