On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect across the European Union. This regulation aims to strengthen data privacy and data protection for individuals within the EU.
The GDPR will immediately impact how companies can collect, store, and process data pertaining to users. Here, we’ll examine the GDPR, how it will affect US businesses that deal with EU clients and partners to see what this legislation means for the future.
What Is GDPR
The GDPR was approved and adopted in April of 2016 and will become enforceable beginning this May. It builds upon the data protection directive of 1995. However, the GDPR extends the scope of data protection to include all companies, including companies outside the EU, that process and/or store data pertaining to EU residents.
It creates a uniform data regulation policy across the EU that attempts to provide better privacy and data protection for EU citizens.
What’s more, it requires any company or business that collects data within the EU to comply with the new regulations.
In effect, this means that any business that collects, analyzes, and stores client data must follow a strict set of conditions. This includes, among other stipulations, how data is gathered, how it is used, and how long it is stored.
What User Data Is Covered
The GDPR covers virtually all data routinely requested by websites. That data includes:
- IP address
- Email address
- Physical address
- Name and username
- Accessing device information
- Financial information
- Personal information such as date of birth, political or religious affiliation, etc.
- User-generated data such as uploaded images, blog posts, tweets, etc.
How Is It Covered
To give a quick GDPR overview, this legislation stipulates that businesses must ensure all user data is processed lawfully, transparently, and for a specific purpose. Data can be collected only for specific, explicit, and legitimate purposes. It is limited to what is necessary for the explicit purpose stated. The data can only be stored for a limited time frame. Finally, the data must be processed and stored with appropriate security measures in place to protect user privacy.
Protecting Individual Rights
In essence, the General Data Protection Regulation (GDPR) is a set of rights for individuals. These rights cover online data and other user information that is often captured, stored, analyzed, and processed by companies and businesses. A major component of those rights is the right to data erasure, sometimes called the right to be forgotten. This regulation stipulates that users have the explicit right to ask for data erasure.
Another major change is breach reporting. Under the GDPR, data breach reporting is mandatory when the breach puts user data at risk.
If user information is compromised they must be immediately informed of what data may have been illegally accessed.
What The GDPR Means For Businesses Outside The EU
One of the biggest aspects of the GDPR is the impact it will have on organizations that are based outside the EU. In effect, the GDPR will impact businesses across the globe. Any business that has users inside the EU will be affected. In the past, outside organizations forced EU users to opt out of their data collection processes. Now, users can opt into these organizations. This means that businesses must be given express permission to collect and store personal data.
Any business that has identified an EU location as a target market or any business that has EU localized web content will be impacted by this regulation. This will especially impact travel and hospitality services, software services, and eCommerce businesses.
What Is GDPR Going To Do To My Business
If your business operates within the boundaries of the EU you will be required to comply with the GDPR. You may be forced to change the way you collect, store, and process user data. That includes the way you notify users as to data collection, the manner in which you receive authorization to collect data, and how long you store user data.
In other words, your business will need to review the manner in which it informs users as to data collection to ensure it is in compliance with GDPR standards. Your business will also be required to follow strict data collection and storage regulations. If not, the penalties could be crippling.
GDPR Penalties Overview
The GDPR carries stiff penalties for organizations that fail to comply. A formal, written notification is provided to companies that violate the GDPR. If action is not taken, organizations can be forced to undergo audits to ensure compliance. If these actions are ignored and another violation occurs the organization can be fined up to 20,000,000 EUR or 4% of worldwide revenue, whichever is greater.
As you can see, failure to comply with the GDPR carries heavy penalties.
Will This Lead To Similar Legislation In The US?
While the GDPR will certainly impact many US-based businesses, the real question is what this will have for US data privacy legislation. The EU has a long history of strict legislation concerning user rights and corporate limitations so this type of regulation in Europe is not surprising.
So, will we see similar legislation concerning data privacy in the US?
American consumers tend to trust corporations and the free market to solve these kinds of issues and typically don’t look to regulations for deeper consumer protections. But recent data breaches like the Equifax breach that impacted over 145 million Americans could shift public perception to favor individual rights over corporate interests. As more Americans learn what the GDPR is and how it works, there may be calls for similar legislation in the United States.
However, many companies and websites with customers and audiences in the European Union may find it simpler to integrate data collection and processing standards stipulated by the GDPR into their standard operating procedure. It’s possible that many private citizens outside the EU may still be affected by these regulations as a result.
The GDPR will have far-reaching consequences. Many non-EU businesses will be forced to change their data collection and data protection policies to conform to these new regulations. If these new regulations are proven to provide better data protection for individuals it will place more pressure on US legislators to consider similar regulations for US consumers and businesses.
Becoming Compliant With GDPR
If you conduct business in the EU you need to ensure your data collection and data protection conforms to the policies of this new legislation. Create a GDPR overview of your data acquisition and management processes to see the changes you’ll need to make to be compliant.