US companies should not ignore the EU’s GDPR

George Miller|29 August 2018
US companies should not ignore the EU’s GDPR

Following a seemingly endless barrage of marketing emails asking consumers to opt-in to keep receiving communications, the European Union’s General Data Protection Regulation (GDPR) came into effect on 25 May, marking the enactment of a sweeping data protection law that governs how data is collected and used in the EU’s 28 countries. Predictably, given the severe sanctions for non-compliance, a number of global data-driven companies, including Google, Facebook, Instagram, and WhatsApp, were hit with privacy complaints within hours of GDPR taking effect.

It’s all about the data

The GDPR is a principle-based regulation that must be adopted in national legislation by the EU member states. It will therefore take time for many of its somewhat vague provisions to be refined and interpreted by courts.

This does not mean that US companies can now forget about the GDPR, however. The effects of the regulation extend well beyond the European Union (EU), with requirements applying to any company that collects personal data or behavioral information from someone in an EU country. Given the extent of the web’s reach, this includes just about every company with a web presence. Some of the GDPR’s other notable provisions and requirements include:

  • Consumers have “the right to be forgotten”—the right to have data about themselves deleted so that third parties cannot trace them.
  • Consumers must explicitly consent to having their data collected and processed. The focus is on informed and unambiguous consent, in other words opting in, instead of opting out.
  • “Data portability” – consumers have the right to request the transfer of their personal data between data controllers.
  • Any breaches of data systems must be reported to EU regulators or a “supervising authority” within 72 hours of discovery. If the breach poses a “high risk” to consumers’ privacy or property—if their credit card numbers or account passwords have been exposed, for example—the consumers who were potentially harmed must also be notified.

The cost of (non-) compliance

How the EU will enforce these penalties against US businesses is still unclear, but the cost of GDPR compliance has already been enormous, with many businesses going into compliance panic mode as the go-live date of 25 May approached.

According to a report by, when the GDPR went into effect, US-based companies had spent nearly $7.8 billion to avoid multi-million-dollar fines and penalties, with an average of $16 million spent per Fortune 500 company. These amounts are likely to keep rising, with other countries and states, most notably California, being in the process of implementing data protection laws.

Challenges and opportunities

The GDPR reflects, to a large extent, how valuable a commodity data has become, and how important protecting personal information is. While the initial panic over GDPR compliance has subsided, it is worth remembering that compliance is not a fixed target, but rather an ongoing process.

Just like all businesses, financial institutions (FIs) will now have to obtain explicit consent from consumers before storing their personal data; silence, inactivity, or pre-ticked boxes—which many FIs previously considered to be tacit consent—will not suffice. In addition, the provision of customized services to bank customers based on personal data will have to be reviewed. FIs will need to determine which data is being collected to provide that customized service, and whether the individual has consented to its collection and processing. Reviewing legacy systems to ensure that FIs have the functionality to implement GDPR requirements will also be necessary.

While compliance with the GDPR might seem burdensome, the directive ultimately provides customers with greater data security. FIs looking to enhance the relationship they have with their customers can turn GDPR compliance into an opportunity. Having customers associate their bank with protecting their personal information, by asking them to authenticate themselves when logging into their digital platforms and performing sensitive transactions, will ensure that customers feel protected and in control when transacting digitally. That leads them to transact more, and opt into more services – paving the way for the bank to become a trusted financial advisor.

About the author

George Miller

George Miller

Legal Counsel Partnerships

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.