How Will the European Union's New Privacy Regulations Impact Your Business?

June 22, 2018

On May 25th, 2018 a new set of data regulations were adopted in the EU, primarily with the purpose of giving EU residents better control over their personal information.

On May 25th, 2018 a new set of data regulations were adopted in the EU, primarily with the purpose of giving EU residents better control over their personal information. The General Data Protection Regulation (GDPR) also addresses the exporting of information outside of the EU. For businesses in the United States, these regulations will have an impact, and there are certain measures and processes, which will need to be addressed, especially for those in the marketing and communication sectors.

How Does the EU Law Impact U.S. Businesses?

Although this is not yet a law in the US, it is now an EU regulation. Because of this, it does not require the US Government to pass any type of legislation for it to become binding or applicable. If your company processes data for any citizen or business within the EU, even if you don't have an office there, you need to become compliant.

If you don't, there are strict penalties, and although they would not be instantly enforceable, they could be anything up to 4 percent of your company's global turnover or 20 million euros, whichever is the greater number.

This new regulation applies to your company if:

  • You offer any services or goods to EU citizens, whether free or paid for
  • Your business was established or incorporated within the EU
  • If you accept payments into your business in Euros
  • If you oversee, monitor or in any way watch the behavior of persons residing within the EU

So, if your company ships products to the EU or you handle personal information for any individual who is located in the EU, whether they are a US citizen or not, then you must comply.

What Are Your New Obligations Under GDPR?

If you process or control information, then you are obliged to carry out new processes within your business. It is important to be aware of the new compliance issues. To assist you, we have outlined a few practical examples of the actions you can take to meet these obligations:

  1. Only use personal information for legitimate reasons, such as original intended purpose only.
  2. Be clear with people and tell them exactly how you will use their data.
  3. Do not collect information that you do not need.
  4. Make sure the information is processed in a way that retains its accuracy.
  5. Delete the information when you no longer need it.
  6. All data must be processed securely.

Data Protection Officer

If you work in a marketing or communications business in the U.S., and your company undertakes systematic or regular monitoring on a large-scale, you must appoint a dedicated Data Protection Officer who is available for any GDPR requests that could be made.

Privacy Policy

If you change your Privacy Policy, you need to inform your contact of any changes and be clear about what is changing.

Transfer of Information

If you need to transfer data to a third-party -- this doesn't just refer to selling that information, it could be something as simple as giving information to a marketing company you work with or even an accountant; then you must ensure that third-party is also GDPR compliant. If they are not or they breach GDPR, you could be held accountable for the breach.


You need to request consent for the explicit use of personal information. In doing this, you need to provide people with a form that is easy to access and make it easy for people to 'opt-out' and be able to remove their consent. Separate requests are needed for each collection, and you also need to send a "just in time" notification before any information is processed or collected.

This is one of the most significant changes that mean many businesses in the US and worldwide need to change their communications systems and related data collection processes.

Another important note is that if someone requests for you to remove their information, unless you have a genuine requirement for that data, you need to comply with their request promptly.

For more information on GDPR, you can visit the UK's ICO GDPR website.

As a final note, you need to make sure that any suppliers or third parties you work with are GDPR compliant as per your obligations.

Share this page icon

Previous Post:
Why Invest in Market Research

Next Post:
Why Do Research In Washington, D.C.?

More from Shugoll Research: