Although Europe’s General Data Protection Regulation (GDPR) was a hot topic last year, many Americans might not fully understand its impact and how to navigate it when conducting business overseas. The GDPR is the new data privacy law of the European Union and several other countries, whose reach stretches well beyond Europe. The law is comprehensive and consists of ninety-nine articles, and is supplemented by two dozen national laws.
The goal of this blog post is to help companies outside the EU determine if they should look at the GDPR more closely. The flowchart below is a good starting point to begin to evaluate if the GDPR applies to your business operations. In short, if you have a business presence in the EU (plus Norway, Iceland, and Liechtenstein), provide data processing services to such businesses, offer your goods or services to EU residents, or “monitor” behavior of EU residents, then the GDPR applies. Even if GPDR does not apply to your Company’s operations, pay close attention to privacy laws in other countries because numerous jurisdictions have adopted, or are considering adopting, laws similar to the GDPR.
If the GDPR is triggered, you should ensure that any processing of personal data about EU residents is GDPR-compliant because the potential maximum penalties for violating this law are steep: up to €20 million ($22.5 million) per violation in fines, plus the threat of civil lawsuits, and even jail time in certain countries.
In some circumstances, U.S. businesses may be able to avail themselves of the much simpler set of rules under the EU-U.S. Privacy Shield Framework, to meet their data protection obligations.
The GDPR is a big deal in Europe because the Europeans treat the individuals’ rights to control their personal information and have it protected as fundamental human rights. This is similar to how we view “life, liberty, and the pursuit of happiness” as inalienable rights of all Americans.
Illya Antonenko is Data Protection Officer and Counsel for TRACE, a globally recognized anti-bribery business organization. Prior to joining TRACE, Mr. Antonenko practiced law for fifteen years in a number of leading U.S. law firms and in-house. His practice included assisting clients with FCPA compliance matters and investigations, cross-border transactions, and general corporate issues.
Frequent travelers know the value of pre-trip research. Having a good country guide—whether personal or paperback—can be the difference between enjoying the finest a region has to offer and getting caught in a tourist trap.
The TRACE Bribery Risk Matrix aims to be such a guide—not for restaurants and historical sights, but for the corruption risks you’re likely to face when doing business abroad.
At the most basic level, each country has a risk score between 1 and 100. The bigger the score, the more caution is warranted.
But just as savvy vacationers review a range of details about their destination, ethical entrepreneurs should understand the different factors that can make a country more or less bribery-prone. The Matrix therefore includes sub-scores to tell you how well or poorly each country maintains the conditions for discouraging bribery demands:
Robert Clark is the Manager of Legal Research at TRACE, a globally recognized anti-bribery business organization headquartered in Annapolis, Maryland. He has been responsible for the ongoing development of the TRACE Bribery Risk Matrix following its original publication in 2014, and is the chief designer of the Matrix Data Browser.
Contributors and Writers are members and associates of the MD/ DC District Export Council. The views expressed do not necessarily represent the opinions of the MD/DC DEC.