US companies are not exempt from Europe’s new data privacy rules — and here’s what they need to do about it

For the past few months, lawyer Robert Bond has been getting around six new enquiries a day from European companies wanting advice on how to comply with the new EU data rules that come into force in exactly a month's time, on May 25. The General Data Protection Regulation (GDPR) means that businesses will need to be much clearer about the information they hold on people and give them more control over it (see summary of consumers' rights below).

But more recently, Bond, a partner at London law firm Bristows, has been waking up to enquiries from the other side of the Atlantic. "Already this morning, there's been three overnight from the U.S., saying we don't have anything in place but we've realized this applies to us, do you have a quick fix solution? I think there's an awful lot of businesses out there, particularly outside the EU, that have suddenly realized the extra territorial nature (of the regulations) and that's come as quite a shock. They are assuming it's a tick the box exercise, which of course it isn't."

Even if a company has no direct EU operations, it may still need to comply, said Bond, who was speaking at an event organized by U.K. body the Direct Marketing Association (DMA) in London on Tuesday. A Bristows client in Reno, Nevada that managed aftercare for people who had bought laptops thought it would be exempt from the rules, until one of its European customers mandated that it put a GDPR program in place because it was acting on its behalf and processing information on people in Europe.

GDPR is also part of the reason why Facebook is asking users to review their privacy settings, covering things like whether advertisers can target them based on religious and political views or their sexual orientation. Even though Facebook is a U.S. company, the rules affect how it operates in other countries, because its users are connected globally.

Complying with GDPR is likely to be easier for heavily-regulated business-to-business sectors such as banking and insurance, but retailers and companies that deal directly with consumers need to be aware of the "storm" that's about to hit, Bond added. Sectors like pharmaceuticals that have historically sold to doctors, but may now market directly to consumers via health care apps that collect personal information, will also need to deal with the new rules.

Facebook announced privacy changes in March 2018
NurPhoto | Getty Images
Facebook announced privacy changes in March 2018

People will be able to ask companies for the information they hold on them, known as a subject access request, and businesses will have to provide this for free (currently they can charge up to £10, or $13.96). Brands must be ready for scrutiny, Bond said. "Post May 25, you will see a big spike in the number of subject access requests, particularly driven by consumer privacy-facing groups who want to poke at particular brands and so on, because they can."

But what if a business is not likely to be ready in a month's time, whichever side of the Atlantic it's on? Chris Combemale, chief executive of the DMA, said it's an ongoing process. "May 25 is not like Y2K, it's not like there is a sprint and I'm compliant and then I don't have to do anything for the next 10 years. Actually, GDPR is a way of thinking about your customer, a way of thinking about your business that is permanent and long term."

If GDPR seems like a mountain to climb, break it down, advised Richard Merrygold, director of group data protection at U.K. domestic repairs business HomeServe. "If you haven't started, then you need to find out what's the most important thing, is it having a good basic consent (to use data), is it having someone in place who can advise you, is it going out and re-consenting, is it going out and doing your data mapping and understanding where all your information is?" he said, speaking at the DMA's event.

In the U.K., it will be the Information Commissioner's Office (ICO) that fines companies breaking the rules, with penalties of up to 4 percent of global turnover, or 20 million euros ($24.4 million), whichever is greater. Richard Sisson, a senior ICO policy officer, has a pragmatic approach. "If you are doing work that you can to comply, if you are working towards the accountability principle, if you have plans in place to show you are working towards compliance, we do take those things into consideration. We are not suddenly going to issue huge fines immediately," he said at the event.

But overall, complying with the new rules will be good for business, according to Combemale. "There may be some short term pain in GDPR but if it creates trust and better customer experiences, it should lead to more long-term loyalty and over time better shareholder value."

GDPR – the rights people in the EU will have from May 25

  • Consumers will have a right to be informed about the collection of their information. Apple, for example, has introduced privacy icons to explain when it is gathering data on users.
  • People will also have the right to access their information via a subject access request and companies must provide this within a month. If any data is inaccurate, companies must correct it.
  • Consumers have the right to have their information erased, also known as the right to be forgotten. They can also ask for their data to be restricted: companies can store data but not use it.
  • People will be able to move or copy personal information from one source to another, known as data portability.
  • Consumers will have the right to object about how their data is used — including for direct marketing. They can also object to profiling, when companies automatically process data to make assumptions about a person for marketing.