Do I Have to Follow GDPR Data Storage Requirements if My Servers Are in the USA?

Large technology companies and corporations—like Facebook, Google, and Amazon—hold a vast amount of private and public data that can be exploited through criminal activities such as identity theft and blackmail. While these companies need the data to improve their services, it is important that the way they collect, store, and share the data is regulated.

On that note, the European Union (EU) enacted the General Data Protection Regulation (GDPR) to protect natural persons in the EU and the European Economic Area (EEA) with regards to the processing of their data and its movement.

This new regulation implemented in May 2018 and affects almost every technology company in the world, even those in the United States. Data security is important, and companies need to start taking it seriously.

The GDPR and Its Effect on US-Based Businesses

The GDPR is, in effect, an EU regulation, but its implications reach far beyond the geographical zone. The regulation affects any business—irrespective of where it is located in the world—that collects or utilizes the personal data of EU citizens.

Of special note, is that the law is only applicable if the data was collected when the person was in the EU or the EEA region but does not apply if the data was collected while the person in question was outside of the EU or EEA zone.

In short, the GDPR affects all businesses that collect the personal data of EU citizens, even if the company does not have a physical presence in the region. The law applies to all sizes of businesses ranging from the likes of Facebook to even small micro-blogging sites.

The GDPR’s target is businesses that have a market in the EU. If an EU person visits a US-based website designed for the American market, that EU person is not protected by the GDPR.

A legal and a natural person

The GDPR applies to natural persons as opposed to legal persons.

A natural person is an individual who is granted human rights.

On the other hand, a legal person is any living person or non-human entity, which includes government agencies, corporations, or firms that can enter into legally-binding contracts.

American Companies Need to Know the Law

The best way for a business or entity to defend itself is to improve its knowledge. It is logical that US companies familiarize themselves with the GDPR and avoid unnecessary fines and legal battles.

The GDPR requires companies to be forthcoming about the data they collect, how they will store it, and what they intend to do with it. If a US company is to going to collect information from EU residents, it needs consent from these users. This should be given after the company has informed the users how their data will be handled. It should be done in clear and straightforward language.

After collecting the data, the US companies need to protect the data under GDPR guidelines—it is advised that legal advice is sought to interpret its terms since it is a complex and convoluted document.

GDPR’s 72-Hour Notification Rule

Data protection is one thing, but securing it forever without any mishaps is a tough nut to crack; one that has even gotten the better of some of the biggest tech companies with the best brains on the planet.

If information such as email addresses, and sensitive data such as financial and medical data, or information related to children is compromised, the company in question needs to inform an EU regulator or other relevant bodies within 72 hours.

If the security breaches involve the exposure of private information such as passwords and credit card numbers, then the data subjects need to be informed as well.

Tech companies are most at risk of data breaches, which could result in sensitive information being exposed to unwanted third parties. IT departments/consultants need to act swiftly if ever there is data loss, exposure, or unauthorized parties having access to data belonging to EU residents. Such breaches need to be identified immediately if they infringe on the rights and freedom of the affected data subjects.

How Tech Companies Have Responded to the GDPR

Major tech companies changed their modus operandi when the new law came into effect. Tech and data firms need to be flexible to such encompassing laws that could have a crippling impact on businesses if not properly followed.

Many companies spent a number of years changing and developing their data processes, policies, security measures in preparation for the GDPR. Some companies outside the EU closed their businesses to EU residents as they opted to steer clear of the GDPR.

Facebook, the largest social media network in the world with more than 2 billion active users globally, updated its site and policies so that it complies with the GDPR.

The tech behemoth launched new tools that gave users more control over their privacy and developed a new tool that allows users to find specific information and have the option to download and delete it.

American companies need to play their part by identifying where the data is stored and how they can minimize risks. Companies should take the necessary steps—such as data encryption—to safeguard user data.

GDPR Violations and Fines

The GDPR introduced heavy penalties for companies that do not comply with the new regulation. The penalties can be as high as €20 million ($22.9 million) or 4 percent of the company’s global turnover, whichever is greater.

No company is shielded from violating the GDPR. Google (being US-based) was recently fined €50 million by the French data protection watchdog CNIL for GDPR violations.

Conclusion

When it comes to the GDPR, the location of the servers does not matter. What matters is whether the website or business uses or processes the data of EU residents. This means that American companies need to comply with the data protection regulations or face the consequences, as Google has witnessed.

If you’re still unsure as to whether you need to comply with the GDPR or not, the best advice is always to seek legal counsel, even though the ruling is pretty simple. To be safe, and for the seemingly low cost involved of complying with the regulation versus the potential fines, it might be best to put the compliance in place.