U.S. Small Business Owners and Europe’s General Data Protection Regulation

GDPR General Data Protection Regulation

The five data privacy insights U.S. small business owners need to be familiar with. 


On or around May 25, 2018, I started to receive notices from banks, websites to which I subscribed, vendors, and even from attorney’s offices, from which I received newsletters, notifying me that their respective privacy policies were being revised in response to the European Union’s General Data Protection Regulation (GDPR) that was coming into effect.  

The GDPR is a piece of legislation passed by the European Parliament. It is not a U.S. law, but it has such jurisdictional reach as to pull in almost any company that receives or could receive personal data from citizens of the European Union.

As one legal commentator explained, “. . . if your organization is a U.S. company with an internet presence, selling or marketing product over the web, or even merely offering a marketing survey globally, you may be subject to the GDPR.” [1]

The GDPR’s reach is not unlimited. Companies with an internet presence, but that are based in the U.S. and intend only to cater to the U.S. market are, likely, not covered by the regulation. E-commerce companies that market, even in small measure to Europeans, provide a financial facility for them to be able to purchase goods from the U.S., or provide the capacity of a multilingual website to appeal to European purchasers, are most likely covered. 

Mechanisms of enforcement with respect to U.S, companies without a physical presence in the Europe need clarification, but the penalties for violating the GDPR are severe.

According to the European Commission, which provides online educational resources concerning the GDPR, Data Protection Authorities charged with enforcing the regulation will have the power to impose fines on businesses for up to 20 million EUR or 4% of a company’s worldwide revenues, whichever is greater.[2] The severity of the potential fines involved have naturally galvanized a wave of efforts to comply with Europe’s new data privacy rules.

Because of the long reach and wide coverage of the GDPR, and also because it may well be a foreshadowing of potential U.S. data privacy legislation, it is worth reviewing its high points.

Here are the five key insights which impact U.S. small businesses:

1. The Definition of Personal Data

One of the most prominent features of the GDPR is its broad definition of “personal data” which is defined as “. . . any information that relates to an identified or identifiable living individual.  Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data” 

The regulation does not apply to deceased persons or legal entities.

Also included within the definition of “personal data” is encrypted (so called pseudonymized) data that is reversable, i.e. can become again accessible to the reader. For encrypted data to fall outside the definition of “personal data” the “anonymization must be irreversible.”

The GDPR protects personal data regardless of the technology used to transfer or process it. 

As explained by the European Commission, examples of “personal data” are:

(i) name and surname of a person

(ii) home address

(iii) email address

(iv) identification card number

(v) location data

(vi) internet protocol (IP) address

(vii) cookie address, etc. [3]

2. Clarity of Language and Affirmative Consent

The GDPR requires that privacy policies have to be written in a “clear, straightforward language.” 

Prohibited now is the complicated legalese buried at the bottom of a website in micro-print.

Related to the fact that privacy policies must be readable and understandable is the concept that the user must “affirmatively consent” for a business to be able to use her data. As the European Commission explained, “Silence is not Consent.”  

Unlike Europe, the U.S. is a hodgepodge of state and federal laws governing internet privacy, but, for the most part, the theme is that unless a user objects to the exploitation of her personal data, there is no prohibition against its use. The GDPR reverses this presumption.

3. More Transparency

Businesses will no longer be able to transfer personal data to another party without “clearly informing” the user.

Moreover, although businesses will continue to be able to collect and process personal data, they will only be able to do so for a “well-defined purpose”. If a business changes the purpose behind its collecting and processing of personal information, the user will need to be informed about the new “purpose.”

If a decision by a party impacting on a user relates to that party’s applying an algorithm to personal data, i.e. approving loans based on an algorithmic process, the user must be informed by such party about whether the decision is automated and afford the user an opportunity to contest the results of the algorithm.

Next page- #4 Stronger User Rights, #5 Stronger Enfircement Measures and Take away


Sustainability: Ten Insights Grow Your Business

Sustainability: Ten Insights Grow Your Business

Earth Day 2024, sustainability good for the planet, businesses and future generations Sustainability is a multifaceted and dynamic concept that is essential for the health and longevity of our planet. It refers to the practices, strategies, and philosophies that aim...

Latinos Have Been Making An Environmental Impact

Latinos Have Been Making An Environmental Impact

As this Monday Earth Day, let's recognize some Hispanic pioneers and champions of sustainability change As the world deals with the pressing challenges of climate change and sustainability, Latino environmental activists are rising as champions of the earth. They...

“I Don’t Like My Increase!”

“I Don’t Like My Increase!”

3 business owner tips on how to deliver base pay messages By now, your company has likely completed its merit cycle, and the responsibility of delivering the merit increase to your employees falls on your shoulders. These communication tips can serve as your guide to...

Video Gallery

Modern version of Stoic philosopher Epictetus
A professional leads a cybersecurity training session for employees, emphasizing best practices. The photography captures the engagement of participants, showcasing the educational aspect of safeguard
Hispanic bearded male businessman trainer teaching coaching new recruitment African American female businesswoman employee in formal suit sitting studying learning company graph chart strategy
The presence of a robot using a computer. Office keyboard being typed on by machine. future IT group,.
Latino Streetwear Entrepreneur Latin Biz Today
Chef Lorena Garcia cooking with a wok
Latina Chef Loren Garcia
Latin Biz Today partner Johanna at the San Sebastián Festival


Which item currently represents the greatest hurdle in the growth of your business?(Required)

Sign Up for the Latin Biz Today Newsletter

PR Newswire

Featured Authors

Innovation & Strategy


Four Basic Principles for Raising Capital

Four Basic Principles for Raising Capital

Outside investors want to understand a business' strategy as well as its financial statements.   The need to raise capital from outside investors requires a great deal of preparation across multiple dimensions. Among many things, investors look to understand...









Work & Life


Health & Fitness

Travel & Destinations

Personal Blogs

Pin It on Pinterest