This article is the first of a series dedicated to soothe the furrowed brows of U.S. business people concerned about complying with the General Data Protection Regulation (GDPR), which took effect in the European Union (EU) on May 25. [1] After reading this article, you may decide to adopt GDPR principles voluntarily to gain a superior edge over your competitors.

At first glance, many managers may believe compliance with the GDPR will be burdensome, expensive and unnecessary if their company does not (1) offer goods or services to EU residents, (2) have an established presence in the EU or (3) track the behavior of EU residents.

Without a clear nexus between your company business dealings and the EU, it seems counter-intuitive to submit to the rules of foreign legislation. In reality, the GDPR is not as foreign as you may believe it to be:

  1. The U.S. Senate [2] and the State of California [3] are already pushing for legislation that incorporates several of the GDPR’s core principles.
  2. Your business may already incorporate core GDPR principles into its data processing, such as conducting regular data protection impact assessments (DPIA).
  3. Your business can communicate its core values and brand differentiation as a top-tier privacy advocate by implementing GDPR standards voluntarily.

Media coverage may also contribute to a belief in the U.S. that the GDPR is disparate and overly punitive as compared to domestic privacy laws.

The media and vendors focus on the most intimidating, penalizing provisions of the GDPR. In the vein of, “if it bleeds, it leads,” many articles focus on two of the GDPR’s penalty provisions:

Up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher; and

Up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

(EU) 2016/679, Ch. 8, art. 83(4)-(5) (emphasis added). Converted to U.S. dollars, the penalties total roughly $11.6 million and $23.1 million, respectively. Armed only with the headlines, financial and reputational ruination seems inevitable if a breach occurs, because an account manager used the “coarse,” instead of the “fine” shredding setting when destroying the personal data of EU residents.

Yet, as will be discussed later in the series, EU data protection supervisory authorities will mete out the harshest penalties to repeat offenders and for the most outrageous breaches of privacy, such as violating the rights of children. The bottom line is, the more you learn about the GDPR, the less intimidating and more reasonable you will find it. [4]

Educate yourself before you panic. With the exception of Facebook and Google, U.S. commerce has continued relatively unscathed by the GDPR so far. The average U.S. business will likely continue unimpeded.

The principle driver of the GDPR is the EU’s inclusion of personal privacy as an inalienable right. Historically, the EU has placed a higher importance on personal privacy than the U.S. government. The Universal Declaration of Human Rights (Declaration), effective 10 December 1948, includes provisions protecting the right to a private life in Article 12, as does Article 8 of the European Convention on Human Rights (ECHR), effective 3 September 1953. The GDPR is merely the newest arrow in the quiver of European privacy data supervisory authorities. Every few years since World War II, the EU member states have adopted new statutes, declarations, treaties and charters to protect personal privacy. For example, rules regulating the automated processing of personal data followed the wider availability of computers in the 1970s, and rules governing the cross-border transfer of data followed the creation of the worldwide internet. Additionally, the EU designates genetic history, biometric data, sexual preference, and religious, union and political affiliation as “special” categories of personal data.

In comparison, the founders of the U.S. did not include privacy in the triad of inalienable rights (life, liberty and the pursuit of happiness). The U.S. Constitution implies privacy in other express constitutional rights, as do state constitutions, court decisions and legislation, but there is no overarching federal mandate on par with the EU’s inclusion of privacy in the Declaration and ECHR. Yet, regardless of the debate’s outcome, the GDPR may not be as disruptive on U.S. businesses as expected. Change can be hard, but it can also be good.

Finding the good in the GDPR:

“Don’t be afraid of change. You may lose something good, but you may gain something better.” -Unknown

The GDPR contains many obligations to disclose information to data subjects, human resource managers, employees, supervisory authorities, data privacy officers and business partners. If a U.S. business were to comply with the GDPR, it would have to change its attitudes and procedures. Through change, however, there is the potential to gain:

  • Confidence from investors, clients, employees, peers and regulators based on the business’ demonstrated commitment to protect personal privacy.
  • Predictability from plain-language policies and procedures, which create uniformity and reduce the risk of error by a decision-maker in a silo.
  • Security from implementing physical, administrative and technical safeguards suitable to protect the type and volume of personal data individuals entrust to the business.
  • Defenses against evolving threats, demonstrated by results of regularly scheduled data protection impact assessments (DPIA).
  • Recognition and mitigation of possible vulnerabilities.
  • Freedom to focus on the business of business while realizing the benefits of lower insurance premiums and a sterling reputation.

The tangible benefits from the listed items are obvious. And, the advantages in positioning and branding are creatively endless.

U.S. businesses adopting a “We Try Harder” attitude toward the GDPR position themselves as privacy champions. Technological advances and the threats to the safekeeping of personal data are evolving. A business that regularly assesses the negative impact of its processes can be prepared to meet each new threat. Consistent self-assessments can position the business to incorporate the GDPR principles that U.S. data insurers, risk managers, clients, business partners and industry groups ratify as the “new normal” — and do so long before the competition gets on board and begins to play catch up.

Consider the GDPR as an opportunity to tout your core values and distinguish your business from competitors as a company that voluntarily exceeds U.S. data protection and security standards. Business leaders can decide which of the three options the company will adopt:

(a) Ignore the risks and hope for the best,

(b) Comply with legal U.S. minimal standards to avoid being fined, or

(c) Adopt EU privacy principles and position and differentiate your brand.

As a consumer or business partner, which business would you want to safeguard your most private, personal data? In the following weeks, we will provide a toolbox your business can use as well as updates on new developments in enforcement and interpretations of the GDPR. Read our series. We are here to help.

Final thoughts. Beware of the hard sell of GDPR preparation goods and services. The length and numerous exceptions embedded in the GDPR can make it difficult to summarize the entirety of the regulations accurately in a single, generic report. Be cautious of those presenting the GDPR in a wholly negative light.

In summary, U.S. businesses are at an intersection regarding their commitment to privacy. The penalties under the GDPR should not drive the compliance decisions for most U.S. businesses. Instead, establishing core values, positioning and brand differentiation will drive the businesses that ultimately decide to lead the charge in providing exemplary privacy protections. Seize the day and the opportunity to create an advantage over your competition.