Is GDPR a Law?
A law is simply a rule or set of rules that is agreed upon by the government or an official agency to specify how people, companies, or other entities should behave and what the consequences will be when this doesn’t happen. So, is GDPR a law? Read on to find out.
Or, learn more about what GDPR specifies and how it may impact your business.
European Union
What is an EU Regulation?
The European Union (EU) is an institution that brings together 28 European countries to help address common concerns, like economic stability, environmental issues and human rights. It has the power to make suggestions about how countries should act or to make governing laws, called regulations.
To those in parts of the world outside of the European Union, the word “regulation” may not necessarily inspire an idea of legality. However, in the European Union, regulations are akin to a laws: they are a set of rules that have been agreed upon by the governing bodies, the European Parliament and the Council, and include defined consequences. Given that the General Data Protection Regulation (GDPR) is a regulation, it is very much like a law in the United States.
Regulations are binding agreements that apply to all members of the EU. This means that, once signed, every country in the EU must abide by its terms.
Differences
United States Regulations vs. EU Regulations
Think of the General Data Protection Regulation like a federal law. In the United States, a federal law would apply (with periodic exceptions) to those in all 50 states. Similarly, an EU regulation applies to all countries that are members of the Union.
What can be confusing is that the United States also has regulations. In the US regulations are a series of codified rules that are developed and implemented by administrative agencies. These agencies are official bodies that have responsibility for figuring out the way in which a law should be enforced, such as the Environmental Protection Agency or the Securities and Exchange Commission. Most often regulations in the United States carry the same weight as a law in that they must be followed and can have attached consequences when this does not happen. The difference is primarily in how the regulation is developed; in this case, by an agency, as opposed to by the US Congress with representation from each state.
US Businesses
Can the Consequences of the GDPR Law Apply in the US?
Yes, the consequences of GDPR can apply to any business that handles data belonging to EU citizens. So the company can be located in the United States, Australia, Brazil or any other part of the world. If they control or process data belonging to EU citizens, they must comply with the regulation. Failure to do so can result in a fine which is up to 4% of annual worldwide revenue or 20 million Euros, whichever is higher.
Protect Your Business
Guard Against GDPR Fines
GDPR compliance applies to the way in which organizations handle data and the processes they have in place to keep data safe. This means that companies must clearly define what these processes are. Once they have done so, it’s critical that they document the processes, as well as the steps they have taken to follow these processes. To avoid any complications, the best case scenario would be to document the processes using a system that tracks revision histories, so there is no doubt or question about what happened in the event of an audit.
And this doesn’t only mean in the moment while handling data. It also means that, as businesses evaluate changes to their systems (or new systems entirely), part of their process outlines the precautions they have taken to keep data safe. Again, documentation of this is critical.
Of course, the intent of the GDPR law is to encourage compliance. The goal is to protect people and their data, so it’s not simply about churning out paperwork to avoid fines. It’s about putting people and their best interests at the heart of your business.