Data protection laws differ between countries and continents. Here's what you need to know about data protection in the US vs Europe.
Every business handles data, and there are countless laws and regulations around protecting that data. This is a good thing for consumer privacy, but these regulations are often confusing for businesses to navigate - particularly if you deal with customers, clients, employees and/or vendors in different countries.
So this week, we’ve tried to break down the different data protection rules and regulations so you can make sure you're compliant across jurisditions. Of course, this is just a guide; you should always seek legal advice before making any decisions about how you process, handle or store data.
Here's what you need to know about the differences for data protection in the US vs Europe.
1. Data protection laws in the EU and UK
In Europe, data has long been about fundamental human rights to privacy and protection. Currently, the EU is working under the Data Protection Directive that applies to all business and sectors.
But as of 25th May 2018, the General Data Protection Regulation will take full effect. And yes, despite Brexit, GDPR will apply to businesses in the UK. This new regulation is about taking the existing law a step further for even greater transparency and trust around data collection, privacy and sharing personal data for the individual.
Read about how you can prepare your business for the GDPR here.
2. Data protection laws in the US
By contrast, the US doesn't apply the same 'citizen first' approach to data handling and protection. But, there are two key federal laws which prevent 'unfair and deceptive practices' and make sure childrens' data is protected properly.
There are also some fragmented, sector or state oriented approaches to data privacy in the United States. The key approaches relate mostly to healthcare companies and financial institutions. The state of California has its own seperare data protection act, too.
Clearly, US laws aren't non-existent. If anything, they're wide-ranging, complex and vague. But while it's expansive, some say that US data protection laws aren't as stringent as those in the EU.
3. What if I'm in the US, and have customers in the EU? Or we're planning an overseas expansion?
Doing business in the EU offers huge opportunity for businesses to increase their market share and revenue. But, if you're setting up an international office or transferring data across the Atlantic, you need to make sure you keep it lawfully protected.
Here are the new and upcoming US-EU privacy agreements:
- Right now: Compliance with the Privacy Shield. This has recently replaced the Safe Harbor agreement in a post-Snowden world of cloud computing and big data. Compliance isn't too difficult for this, as businesses can self certify.
- By May 2018: Compliance with the GDPR. However, the Privacy Shield is just the tip of the iceberg, and there's still concern over its effectiveness. As of May next year, any business interacting with EU customer data needs protect it by the same standards.
In a recent PwC survey of American multinational organisations, 92 percent said GDPR compliance is a top priority, and 71 percent have already started preparations. These include privacy policies, IT security and discovery of all the data they currently have.
4. What if we use digital marketing tools, website cookies, or automated emails?
The digital world means business marketers are likely to be collecting the data of customers from the US and the EU – and indeed, all over the world.
In the US, data that needs to be protected is classed as 'Personally Identifiable Information' (PII) - this includes things like names, addresses, telephone numbers etc. Any information used for marketing purposes works on an 'opt-out' basis for privacy (aptly named CAN SPAM).
In the EU, businesses are required to protect all 'personal data,' including cookies and IP addresses. Currently, tick-box consent, or a simple 'okay, I get it' button on your site is sufficient for the use of data.
But when the GDPR kicks in, you'll need to give unambiguous consent about data usage, including explicit cookie tracking consent. You'll need to get a double opt-in for all marketing communications too.
5. The GDPR is likely to go global, but it's not all bad
Not only this; unclear laws are complex for businesses to follow, meaning you can be caught out for accidental misuse easily – maybe even fined.
In this sense, the GDPR is a model student for data protection. It's the simpler narrative, and it's very likely to go global. So, any future-driven company that's not in the EU should be looking to comply anyway.
6. The really good news: new regulations help your digital marketing strategy
New, stricter regulations aren't just about following rules. And they definitely won't stifle innovation – they'll encourage it!
If you use marketing automation tools, many are working towards being pre-configured with data protection standards, so you'll probably just need to tweak a few settings to get your digital marketing under control.
Need more help with compliant data protection?
Whether you're just in the EU or US, Pensar can help get your business fully prepared for the GDPR and other data protection laws. If you're expanding into the EU, we specialise in helping companies set up an office overseas, too.
Download the PDF below, or message us in the pop up!