What is GDPR?
The European Union (EU) General Data Protection Regulation (GDPR) became law in May of 2018 and is the most important change in data privacy regulation in 20 years. It is a regulation that requiring businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
Though it’s reasonably assumed that the GDPR will be enforced more strongly over time with regards to small businesses, regulators of the European Commission have been very clear to say that there is no transitional phase.
It is important to note that GDPR applies to people within the EU, but not necessarily to EU citizens. A French woman in Australia is not covered by GDPR, whereas an Australian woman in France would be. It is the location of the person that is important, not their nationality or citizenship.
What type of organizations are most affected?
Though every organization can be affected by the GDPR, some business sectors are probably more affected than others. For instance:
- Data and technology businesses – Probably the largest impact will be on those businesses that rely on acquiring consumer data that collect, store, or share global customer information in any way.
- Online goods providers – If your business sells goods online that are available to EU customers, you may already have contact and financial information, or other personal data that falls under the new protections.
- Business to business service providers – Third party vendors who work with companies that manage data from the EU. For example, if you process insurance claims with a U.S. business who has EU clients, you’ll probably be required to follow the laws under the GDPR.
How are U.S. businesses affected?
Below I’ll explain how this effect U.S. companies, and even more so, small businesses that have no direct business operations within the EU? The GDPR applies to all organizations that are based in the EU, but also applies to organizations outside the EU providing goods or services to people in the EU.
According to the GDPR website:
“The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
This means if your company’s headquarters are located in Atlanta, GA that provide goods or services to people in the EU, or processes the data for within the EU (e.g. through form submissions via your website), you are responsible for abiding by the laws of the GDPR.
You may be wondering if this applies to any organizations website given that anyone from around the world, specifically the EU, can access it, and process personal data. First let me stress that you should consult with your legal counsel with respect to interpreting your obligations under the GDPR and the use of company’s products and services to process personal data. However, if your organization is not directly marketing to the EU, this typically will not apply to American organizations. If you can answer yes to any of the following your business very well may fall under the laws of the GDPR:
- Does your business have an office in the EU?
- Is your business website multi-regional in that it allows a user to select an EU country?
- Does your business website allow EU customers to order goods or services enabling payment in euros?
- Is your website multi-lingual allowing EU customers to order goods or services in an EU language?
- Does your business website mention customers in the EU?
How can my business comply?
GDPR has 99 articles and unfortunately can’t be summed up in a one page blog on how to comply. It requires time, effort, strategic risk assessment, and can potentially be quite costly. If you fall under the umbrella of GDPR, you will be required to abide by the rights people in the EU have.
These rights include:
- Right to access their data – The person may request access to their personal data, which an organization is required to supply for free and within one month.
- Right to be informed about their data – The person has the right to know when their data is being collected and how it is being used.
- Right to have their data erased or restricted – Companies do at times have a legal right to keep your data but can’t necessarily use it for anything other than that purpose.
- Right to object to specific uses of their data – The person has the right to prevent organizations from using their data to make assumptions about them for marketing purposes.
- Must be notified – Per article 33, where feasible, the data breach notification should take place no later than 72 hours after the breached party has become aware of the incident.
Companies are required to:
- Inventory their data – Organizations are required to take inventory of their data they’ve collected on individuals.
- Provide access to that data – Organizations are required to provide access to individuals data and explain how it is being utilized, and request that it is deleted if not needed.
- Data collection process – Organizations are required to inform individuals when and what data is being collected and give them the opportunity to opt in to providing that data.
Why you should prepare?
Corporations typically follow a pattern of regulation stemming from what is known as the Brussels effect, which is the shift of regulations in the direction of political jurisdictions with stricter regulatory standards. In the U.S., corporations also follow what is known as the California effect. With data privacy gaining momentum in the U.S. and California passing the California Consumer Privacy Act of 2018, businesses will be dramatically making changes with regards to how data is managed. It is a strong possibility the rest of the country will follow suit and existing U.S. privacy laws will expand. Bringing your business up to European standards now can help ease the transition when U.S. privacy standards develop further.
What you should do to prepare?
Becoming compliant with GDPR or simply preparing for compliance is no small task but hopefully the below steps can get you started.
- Create a Data Protection Plan
- Perform a data audit
- Conduct a risk assessment
- Recognize high risk data
- Plan for a breach
- Hire or appoint a Data Protection Officer
DISCLAIMER: While the content on this page is designed to help you understand the GDPR when working with third parties, the information contained should not be construed as legal advice. You should consult with your own legal counsel with respect to interpreting your unique obligations under the GDPR and the use of an organization’s products and services to process personal data. This legal information is not the same as legal advice, where an attorney applies the law to your specific situation. You may not rely on this information as legal advice, nor as a recommendation of any particular legal understanding.