GDPR is the legislation for data privacy, and data protection implemented in 2016 for 27 member countries of the EU (European Union) and the EEA (Europe Economic Area).
It also states the rules for transferring data outside the EU. The primary goal of GPDR regulation is to give individuals control over their online data and to unify the business regulation within the EU.
The controllers and processors of personal data must take appropriate measures and use the best techniques to protect personal data. The business processor which handles personal data must design and make proper tools or techniques to safeguard the personal data of his clients.
GDPR was approved on 14 April 2016 and enforced on 25 May 2018. It shall be noted that it is a law, not a directive.
GDPR and the U.S.:
Although GDPR was designed in the EU, the regulation which it provides for data privacy and information protection reaches far and beyond the boundaries of the EU. The most notable reach of GDPR is the US – the leading trading partner of the EU.
Does GDPR apply to the U.S.?
Yes, GDPR applies to the US. It is because of article three in the GDPR, which states its territorial scope. Article 3 of GDPR describes that GDPR will not only be applied to the companies which are located in the EU but also will be applied to the companies which serve the EU/EEA residents from outside the EU boundaries.
Does GDPR apply to the U.S. companies?
Yes, GDPR applies to the U.S. companies, despite their size or revenue generation, if the companies meet at least one of the two following conditions:
-
If the company provides services or goods to the residents of the EU/EEA
-
If the company monitors the behavior of the residents of the EU/EEA
The personal data described by the GDPR involves photos, videos, names, addresses, device details (IP address, Phone Number), Biometric information, etc.
Keep In Mind
GDPR compliance requirements vary between organizations due to their characteristics. For example, if a company has less than 250 employees, there is no need for a record of data processing activities. However, the rule only applies if there is no risk involved to the data privacy or freedom of the individual over his data. Another condition involves occasional data processing by the company.