There are four letters making waves across the pond and causing a ripple effect in the United States. Those letters are “GDPR,” and businesses are being forced to take note of these new regulations in the European Union and as they relate to companies and privacy measures in America. GDPR, or General Data Protection Regulation, addresses the export of personal data outside the EU and European Economic Areas (EEA). The primary aim is to provide greater control to citizens and residents over their personal data and to simplify privacy regulations for international businesses. Basically, a complete overhaul of how businesses process and handle data.
Since the implementation date of May 25th, 2018, questions have swirled feverishly about what these laws mean for American businesses, and how does the GDPR change (or work alongside) our own data privacy regulations? Because although this law exists in the EU, it has a global reach - just as the internet does. Businesses that aren’t located in the EU could still face penalties and fines if they do not comply with the legislation.
So, what do you need to know to abide by these new laws, and avoid “corporate punishment” (or a costly fine on your business)?
How is the GDPR different from all other privacy laws?
The EU already has the Privacy Shield and Data Protection Directive, so why are we now faced with the GDPR, and what makes it unique?
There are two main ways the GDPR is bringing a new spin to the current legislation. The first is that the GDPR is setting higher standards for getting your hands on personal data than ever before. Now, any time a company collects personal data on an EU citizen, it will need explicit or express consent from that person. Not only does a user need a way to take-back that consent, but they can also request all of the data a company has from them...at any time. That’s a lot stricter than any existing requirements, and it doesn’t just slap the wrists of companies inside the EU - that’s right, companies in the U.S are explicitly not excluded. If you’re in an industry that’s grown accustomed to collecting and sharing data with little to no restriction, the GDPR might force you to rewrite your own rules.
The second significant change is that the penalties are markedly more severe, and it’s drawing attention from every industry that stores or processes data. If you’re sitting down, the maximum fines per violation are set at 4% of a company’s global turnover (or $20 million, whichever is larger). Those fines are enough to cripple companies, from small business to enterprise level. That’s how serious the EU is taking data privacy this time around!
Redefining the word “privacy”
Recent large-scale data breaches have led to general unrest among consumers online. An alarming statistic for companies that deal with consumer data is the 62 percent of the respondents to an RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. So, the GDPR has both the consumer and the business at heart, even though it seems like tough love. Here’s are just a few of the types of privacy data the GDPR seeks to protect:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic information
- Political opinions
- Sexual orientation
Ultimately, what will change?
Really, there are two questions to concern yourself with: What changes will you see once the GDPR rolls out, and what will your business have to change in order to be in compliance? The most obvious and immediate changes are the requirements that affect permissions and consent. So, companies will be asking for your permission to collect your data online a LOT more often. Ready yourself to see more fine print, more “click to proceed” buttons, and required signatures/permissions when you’re giving away information like your name, location and email address.
The GDPR also sets some pretty strict rules for how companies share data after it’s been collected, which means companies may have some work to do rethinking the way they approach lead analytics, logins, and, above all, advertising. It will be essential for your business to determine the EU data you possess, where and how it’s kept, and set compliance policies for how that data will be collected, managed, and even destroyed.
Are you subject to GDPR?
The short answer is that any company that stores or processes personal information about EU citizens must comply with the GDPR, even if they do not have a business presence within the EU. Here are the specific criteria for companies required to comply:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data.
By our count, that’s most (or many) companies. Since we’re in the business of information management, this topic is of great interest to our clients and us. We can help you manage the information you have, how records are stored and processed, and ultimately, help you navigate complex data regulations like the GDPR.