Why this Boston-based company cares about an EU-based data privacy policy

Jim Jacobson, General Counsel, Aptus Health

Back in May, Aptus Health announced our full compliance with the General Data Protection Regulation (GDPR), right as it went into effect.  The most sweeping new data privacy and security regulation in a generation, GDPR requires companies that process personal data of EU residents to ensure that data subjects, including online users, are aware of (and can control) the personal data they share with companies. European companies—or those that operate in the EU—who fail to comply are at risk for monumental penalties and damages.

Yet a recent report from TrustArc (a GDPR platform provider) shows that since the May 25 deadline, only 27% of EU-based companies say they are compliant and just 12% of U.S.-based companies (like Aptus Health) are.

It’s interesting to see the reasons these companies most often cite as reasons for their compliance – client and competitive demands are significantly more important to them even than the risk of draconian penalties, fines and litigation.  Clients care about data privacy protection and will, increasingly, demand it.

Source: GDPR Compliance Status: A Comparison of US, UK and EU Companies. TrustArc, July 2018. 

As a global digital marketing organization focused on delivering high-value content to healthcare professionals and consumers—including those in the EU—we already had a comprehensive and effective data protection program in place. Even so, enhancing these programs and policies to ensure compliance required the expertise, guidance, and attention of dozens of employees, across almost all of our business units and geographies, in addition to outside legal and consulting expertise.

This proactive effort towards compliance was worth it. Here are just a few of the reasons.

Being ahead of the data privacy curve

Although GDPR compliance isn’t mandatory for US based companies who don’t process EU-based personal data, there are signs that such protections are coming. For example, California—which is often a bellwether for national regulations—has already enacted data privacy laws that address some of the new concepts covered by GDPR, such as individuals’ rights to erasure, portability and access to their personal data. In fact, California’s medical confidentiality laws related to data breaches are already being adopted in other states. It’s not unrealistic to think that that such stringent laws will continue to spread across the nation. When they do, companies like Aptus Health will already be prepared.

Ensuring privacy by design and default

Our approach to GDPR compliance isn’t a patch to our operations meant to avoid penalties or check the box – it’s built into our products, systems, and contracts from inception, and meant to set new industry standards of protection.  We anticipated and got out ahead of the TrustArc findings above Data privacy and security is in our bones. 

Serving as a good partner

Our data privacy policies and processes don’t just protect us, they also protect our clients, partners and consumers who use our services. Our clients operate in the highly regulated medical and pharmaceutical industries, and many have global footprints. As they continue to build their own global privacy infrastructures, our experience can help them address key privacy issues in their digital media operations and provide a seal of confidence that they have a partner who is ahead of the curve globally. 


The deadline may have passed, yet the spirit of GDPR is still very much alive and well across our global offices—even in ones that aren’t technically covered by the regulations.  Our proactive approach to GDPR compliance demonstrates our commitment to protecting and earning the trust of the people we serve. 

  1. ← Previous
  2. Next →