The General Data Protection Regulation (GDPR) goes into effect May 25. In the words of one of our favorite authors, we’d like to start by saying, “Don’t panic.” There’s a lot of important points to know about this regulation, and many of them may affect the way you do business. But let’s take it slow and start from the top. What exactly is the GDPR, and why is it important?
What is GDPR?
The GDPR aims to give EU citizens more control over how their personal data is used and shared by companies they interact with. It also unifies regulations across the EU, so that one set of rules applies to all EU countries.
Why is GDPR Important?
As far as security and privacy regulations go, the GDPR is actually long overdue. The current regulations have been in place since 1995, long before Facebook or Twitter, and back when Amazon was basically an online bookstore. It’s past time to take consumers’ right to online privacy and security seriously.
Why is GDPR Important for American Companies?
One of the major changes of the GDPR is the scope. If your company gathers personal data on an EU citizen (even if you are a U.S.-based company), you are responsible for adhering to GDPR regulations. Note that an actual transaction does not have to take place for the information to require protection — if an EU consumer gives you their email address to subscribe to your newsletter, the regulation applies.
What Constitutes Personal Data?
The GDPR defines personal data as anything that can be used to identify an individual. Obviously, names, photos, contact information, and financial data are all included. But don’t forget about things like IP addresses and location data. Everything counts here.
What Does Consent Mean?
In order to collect personal data, you must have the consumer’s consent. The consumer must be absolutely clear on what they are consenting to (i.e., no lengthy boxes of legalese, simple and easily intelligible language only) and must be able to revoke consent at any time as easily as they gave it.
What If There’s a Security Breach?
If the exposure of personal data of EU citizens might result in a “risk to the rights and freedoms” of those citizens, you are required to report the breach to an EU regulator within 72 hours. If the breach involves the exposure of sensitive data such as credit card numbers or passwords, you are also required to notify any affected users.
What If I Don’t Comply?
Another major update to the legislation — the penalties are much stricter. Maximum fines for non-compliance can be as high as 4% of your global revenue, or 20 million euros, whichever is higher. Less serious infractions might still carry fines of 2% of revenue or 10 million euros.
How Will GDPR be Enforced?
Like many pieces of the GDPR puzzle, that remains to be seen. But it’s not a chance we recommend taking. Now’s the time to do a complete and thorough audit of your current data protection system, create or purchase tools that keep data secure, and ensure that any third-party companies you work with are also playing along. Educate your staff (including anyone who works with data) on what the new regulations entail. And while the GDPR only applies to EU citizens, you’re going to want to use the same security and privacy measures for everyone. It’s unlikely that U.S. clients are going to feel all warm and fuzzy knowing their data is less protected than that of their EU friends.
How Will GDPR Affect U.S. Based Companies
That depends. If your company does business regularly with the EU and with EU citizens, you should make sure you are in compliance as soon as possible. If only the occasional EU citizen stumbles across your site from time to time, at the moment, this isn’t a crisis, but should be something you think about moving forward as more information becomes available. We are still in the early phases of understanding what GDPR compliance means and how it will be enforced.
What we do know is that it’s not something that should be ignored.
Douglas Adams reminds us, “Don’t panic.” The GDPR reminds us that we’re all consumers and that we should be protecting our clients’ personal information the same way we would want our own data protected. Let that be your guiding principle as you work within this new legislation.