The days of business and industry being a largely domestic affair are long gone! Now, the world is much smaller place thanks to technology and the internet. Which means that even if your business is based in the U.S., you need to follow certain pieces of legislation that other countries put forward, such as the GDPR, a new data privacy law from the European Union.
What is GDPR?
GDPR stands for General Data Protection Regulation. According to the EU, the GDPR was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” It covers a wide range of topics. Here are some of the specifics:
- Terms and conditions filled with legalese are not sufficient. Any request for consent to use has to be in plain language.
- Consent has to be as easy to withdraw as to give it.
- Companies have 72 hours to notify customers of a data breach.
- People can request a copy of the personal data a company has collected.
- People have the “right to be forgotten,” which means they can request a company delete or stop using their information.
- All data collected is subject to “privacy by design” requirements. This means that data protection needs to be built in to any information collection system and access to all personal data is on a need to know basis.
Why Does GDPR Matter for U.S. Businesses?
You might be wondering why all the fuss. After all, you are based in the US and this is an EU rule, right? Not exactly. GDPR applies “to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not,” writes the GDPR Portal.
“The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required)… Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.”
While the GDPR will most impact e-commerce, travel, hospitality, and software, any company with web content designed to appeal to EU residents will be affected and the cost of non-compliance can be steep. Any breach of the terms of GDPR would mean that a company – your company – could be fined the greater of 20 million EUR or 4 percent of global annual turnover.
How to Prepare for GDPR?
According to Gartner, only around 50 percent of companies are going to be compliant by the end of 2018 – don’t let that be your company. Even if most of your customers or website visitors are stateside, you don’t want to risk a penalty.
Prepare for GDPR by seeing where you currently stand with regards to compliance.
- Start with determining if you are a controller or a processor. GDPR legislation says that both are responsible for data protections but in different ways. You may need to consult with legal council.
- Next, consider the other legalities. You will need to figure out to which of the EU member states your company should report and you will need to appoint a representative from your company to do so. You might also need a Data Protection Officer.
- Now, audit your current data. You will be required to have a single view of each data subject. If you don’t already have that capability, you may need to upgrade your database. Also, look at your processes, policies, and procedures as well as any third-party agreements you have in place.
- Finally, spend some time redesigning the way you ask for customer consent to use their data and working on your disclosures. The GDPR is very specific. Work with your legal team to ensure that you are following the rules when it comes to data collection, data distribution and how your company protects the privacy of customers.