GDPR Territorial Scope Offers New Surprises to US Service Companies



[ad_1]
<div _ngcontent-c14 = "" innerhtml = "

Getty

The international scope of the General Data Protection Regulation (GDPR) continues to surprise. According to this law Article 3Even if a company is not physically present in the EU, the security and confidentiality requirements of the RGPP may still apply.

The legal departments of companies must read the details carefully. In our business survey conducted last year by our company, we found that more than 60% of them were not prepared for the GDPR. And in more recent conversations with US-based executives, we found that there was still a lot of misunderstanding about the impact of GDPR, especially for US companies that work with e-commerce and SaaS providers. .

Although the new GDPR does not necessarily affect US companies that are only present on the Web in the EU, recent orientation EU regulators can cause late delays to US IT departments. It describes in more detail the extraterritorial powers of the GDPR and dispels some confusion.

Many will likely need to implement the security and privacy measures of the law, including reporting 72-hour violations, data minimization rules, and subject-based access request systems for "right to privacy". 39; oblivion. "

The impressive power in the GDPRArticle 3

His long legal arm is explained in Article 3. Cutting legal jargon, he says that the GDPR applies to any enterprise "established" in the EU or that "targets" the consumers of the EU by means of offers of "goods or services". It also mentions companies that monitor behavior, but this is more relevant to web cookies and pop-up privacy notices.

In the instructions, European regulators clearly indicate that a website is not considered alone as a business. They support this with clear examples. L & # 39; orientation covers a non-European hotel chain that advertises on its website in French, German, Spanish and English for example.

EU consumers can reserve rooms, but the data collected is not governed by the PEM as the company's advertising did not specifically target French or German consumers with a particular language. If he crossed the threshold with a wording such as "10% discount for Berliners", the GDPR would apply.

American cloud and the GDPR

The instructions go further and address some of the interesting questions related to personal data processing in the cloud. The legal question is basically the same: you can still be covered by the GDPR even if your company does not have an office in the EU.

For example, a US SaaS company provides email contact software in a cloud environment. An EU company signs a contract with the US company and downloads the personal data of its customers on the company's servers. Indications tell us that this American company would be under the GDPR regime.

It's easy to imagine SaaS leaders saying, "We do not have an office in the EU or a market in the EU, so we're safe." False! Not only are third-country SaaS providers potentially affected by the GDPR, but so are the cloud companies that host the infrastructure running these applications – leading US cloud providers therefore offer data contracts or data contracts. The agreements required by the GDPR.

By the way, SaaS companies and their cloud hosting services must have the contracts listed in the GDPR. Article 28. These contracts are designed to prevent finger attacks when, for example, the hosting service tells the SaaS that they are excluded from liability for breach and vice versa.

Consequences

Companies that do not report a data breach to the EU regulatory authorities within 72 hours may be fined 2% of the global business figure. If regulators find more fundamental breaches of security in the PGR, such as inappropriate technical security measures, fines can reach 4%.

This fine is based on overall revenues and not sales in the EU. For a US SaaS company or a small but very profitable hedge fund with a weak relationship with the EU, the GDPR fine could be a major shock.

Whether your organization is under surveillance or not, the GDPR goes beyond any US law – including the Portability and responsibility of health insurancet (HIPAA) and the & nbsp; California Consumer Privacy Act – with its requirements for protecting the security and privacy of data, and the severity of fines.

With the new orientation, the lawyers have raised the alarms that it does not take much to be established in the European Union, but questions remain as to how it will apply Article 3 to US companies. We know that EU regulators are serious about the application of GDPR, and they have already published fines.

What you should do

US companies covered by the PEMP must identify the personal data in their file systems and ensure that the appropriate access rights are in place. It should be noted that the GDPR defines personal data broadly, encompbading traditional identifiers, such as name, address and license numbers, as well as e-mail addresses, online descriptors and IP addresses.

The identification and clbadification of data forms the basis for the continuous badessment and correction of risks badociated with GDPR-related data – for example, deleting personal data that no longer serve a professional purpose, minimize the data collected and limit access to files to those who really need it.

The lawyers will be say you say that the RGPD is a rule of "show his work". This applies in particular to US companies that start in the GDPR. Ideally, security processes and programs should be implemented. Regulators will recognize having shown your plans and documentation during an investigation or audit.

It's not too late to become GDPR compliant! Perform a complete badysis of GDPR data and develop plans to correct security and privacy breaches.

To maintain compliance with the GDPR, you must document the repeatable processes as a standard procedure. These will also help to gain credit with regulators.

The information provided here does not constitute legal advice and does not purport in any way to substitute for the advice of a solicitor on a specific issue. For legal advice, you should consult a lawyer regarding your specific situation.

Forbes Technology Council is an invitation-only community for world-clbad CIOs, technical directors, and technology leaders.
Am I eligible?

">

The international scope of the General Data Protection Regulation (GDPR) continues to surprise. According to Article 3 of this law, even when a company is not physically present in the European Union, the confidentiality and security requirements of the General Regulation may still apply.

The legal departments of companies must read the details carefully. In our business survey conducted last year by our company, we found that more than 60% of them were not prepared for the GDPR. And in more recent conversations with US-based executives, we found that there was still a lot of misunderstanding about the impact of GDPR, especially for US companies that work with e-commerce and SaaS providers. .

Although it is known that GDPR may affect US businesses with only a web presence in the EU, recent EU regulators' guidance may result in late delays in state IT services. -United. It describes in more detail the extraterritorial powers of the GDPR and dispels some confusion.

Many will likely need to implement the security and privacy measures of the law, including reporting 72-hour violations, data minimization rules, and subject-based access request systems for "right to privacy". 39; oblivion. "

The impressive power in the GDPRArticle 3

His long legal arm is explained in Article 3. Cutting legal jargon, he says that the GDPR applies to any enterprise "established" in the EU or that "targets" the consumers of the EU by means of offers of "goods or services". It also mentions companies that monitor behavior, but this is more relevant to web cookies and pop-up privacy notices.

In the instructions, European regulators clearly indicate that a website is not considered alone as a business. They support this with clear examples. The guide covers a non-European hotel chain that advertises on its website in French, German, Spanish and English for example.

EU consumers can reserve rooms, but the data collected is not governed by the PEM as the company's advertising did not specifically target French or German consumers with a particular language. If he crossed the threshold with a wording such as "10% discount for Berliners", the GDPR would apply.

American cloud and the GDPR

The instructions go further and address some of the interesting questions related to personal data processing in the cloud. The legal question is basically the same: you can still be covered by the GDPR even if your company does not have an office in the EU.

For example, a US SaaS company provides email contact software in a cloud environment. An EU company signs a contract with the US company and downloads the personal data of its customers on the company's servers. Indications tell us that this American company would be under the GDPR regime.

It's easy to imagine SaaS leaders saying, "We do not have an office in the EU or a market in the EU, so we're safe." False! Non-European SaaS providers are potentially affected by the GDPR, but so are the cloud companies that host the infrastructure that runs these applications. Leading US cloud providers therefore offer data contracts or agreements required by the GDPR.

By the way, SaaS companies and their cloud hosting services must have contracts as stated in Article 28 of the RGPD. These contracts are designed to prevent falsification when, for example, the hosting service indicates to SaaS that they are excluded from any liability. for a breach and vice versa.

Consequences

Companies that do not report a data breach to the EU regulatory authorities within 72 hours may be fined 2% of the global business figure. If regulators find more fundamental breaches of security in the PGR, such as inappropriate technical security measures, fines can reach 4%.

This fine is based on overall revenues and not sales in the EU. For a US SaaS company or a small but very profitable hedge fund with a weak relationship with the EU, the GDPR fine could be a major shock.

Whether your organization is under surveillance or not, the GDPR goes beyond any US law – including the Portability and responsibility of health insurancet (HIPAA) and the California Consumer Privacy Act – with its requirements for protecting the security and privacy of data, and the severity of fines.

With the new directives, lawyers have alerted their interlocutors to the fact that there is not much to do in the EU, but questions remain about how the EU will apply Article 3 to US companies . We know that European regulators are serious about the application of the GDPR and that they have already imposed fines.

What you should do

US companies covered by the PEMP must identify the personal data in their file systems and ensure that the appropriate access rights are in place. It should be noted that the GDPR defines personal data broadly, encompbading traditional identifiers, such as name, address and license numbers, as well as e-mail addresses, online descriptors and IP addresses.

The identification and clbadification of data forms the basis for the continuous badessment and correction of risks badociated with GDPR-related data – for example, deleting personal data that no longer serve a professional purpose, minimize the data collected and limit access to files to those who really need it.

Lawyers will tell you that the RGPD is a "post your work" rule. This applies in particular to US companies that start in the GDPR. Ideally, security processes and programs should be implemented. Regulators will recognize having shown your plans and documentation during an investigation or audit.

It's not too late to become GDPR compliant! Perform a complete badysis of GDPR data and develop plans to correct security and privacy breaches.

To maintain compliance with the GDPR, you must document the repeatable processes as a standard procedure. These will also help to gain credit with regulators.

The information provided here does not constitute legal advice and does not purport in any way to substitute for the advice of a solicitor on a specific issue. For legal advice, you should consult a lawyer regarding your specific situation.

[ad_2]
Source link