Cross Border Compliance for U.S and Global Businesses
“Great insight into #GDPR and how US companies can protect themselves. Diving deeper into compliance of all types, cross-border commerce does not mean exemption from local laws, whether the business is virtual or just accessing talent in-country. Practicing a compliance first strategy will ensure growth is not stalled as a result of not knowing local laws.” Lou Calamaras, CCWP, Director Global Solutions, CXC Global North America.
For the past few months, lawyer Robert Bond has been getting around six new inquiries a day from European companies wanting advice on how to comply with the new EU data rules that come into force in exactly a month’s time, on May 25. The General Data Protection Regulation (GDPR) means that businesses will need to be much clearer about the information they hold on people and give them more control over it (see summary of consumers’ rights below).
But more recently, Bond, a partner at London law firm Bristows, has been waking up to inquiries from the other side of the Atlantic. “Already this morning, there’s been three overnight from the U.S., saying we don’t have anything in place but we’ve realized this applies to us, do you have a quick fix solution? I think there’s an awful lot of businesses out there, particularly outside the EU, that have suddenly realized the extra territorial nature (of the regulations) and that’s come as quite a shock. They are assuming it’s a tick the box exercise, which of course it isn’t.”
Even if a company has no direct EU operations, it may still need to comply, said Bond, who was speaking at an event organized by U.K. body the Direct Marketing Association (DMA) in London on Tuesday. A Bristows client in Reno, Nevada that managed aftercare for people who had bought laptops thought it would be exempt from the rules, until one of its European customers mandated that it put a GDPR program in place because it was acting on its behalf and processing information on people in Europe.
GDPR is also part of the reason why Facebook is asking users to review their privacy settings, covering things like whether advertisers can target them based on religious and political views or their sexual orientation. Even though Facebook is a U.S. company, the rules affect how it operates in other countries, because its users are connected globally.
Complying with GDPR is likely to be easier for heavily-regulated business-to-business sectors such as banking and insurance, but retailers and companies that deal directly with consumers need to be aware of the “storm” that’s about to hit, Bond added. Sectors like pharmaceuticals that have historically sold to doctors, but may now market directly to consumers via health care apps that collect personal information, will also need to deal with the new rules.
People will be able to ask companies for the information they hold on them, known as a subject access request, and businesses will have to provide this for free (currently they can charge up to £10, or $13.96). Brands must be ready for scrutiny, Bond said. “Post May 25, you will see a big spike in the number of subject access requests, particularly driven by consumer privacy-facing groups who want to poke at particular brands and so on, because they can.”
But what if a business is not likely to be ready in a month’s time, whichever side of the Atlantic it’s on? Chris Combemale, chief executive of the DMA, said it’s an ongoing process. “May 25 is not like Y2K, it’s not like there is a sprint and I’m compliant and then I don’t have to do anything for the next 10 years. Actually, GDPR is a way of thinking about your customer, a way of thinking about your business that is permanent and long term.”
Click here to see the full article posted on cnbc.com.
If you’d like to learn more about CXC Global’s compliant workforce solutions in over 70 countries, please contact us.