Unless you’ve been heavily preparing for Burning Man or on a nature retreat, you may have noticed an influx of emails from companies informing you they have “updated our privacy policy.” The reason why was a huge change in private data regulations within the European Union. On May 25, 2018, the European Union enacted the General Data Protection Regulation (GDPR). The GDPR provides all member states with a strict guideline to respecting the right to privacy afforded to European citizens. This legislation doesn’t only affect European companies, but companies throughout the entire world. To provide some clarity, this post will describe the GDPR, its effects, and why that matters to American companies.
In the simplest of terms, GDPR returns power over personal data (defined as any data that can help to identify somebody such as a name, pictures, or even an IP address) back to the people. To accomplish this, GDPR requires companies that interact with European citizens to do four main things. 1) all European citizens have the right to “be forgotten.” If requested, a company must delete all data regarding those concerned within 30 days of receiving the request. 2) All data must be portable. If requested, a company must transfer all automated data to where the citizen needs it. Furthermore, the data must be in a widely used format. 3) Data breaches must be reported to authorities within 72 hours real-time. 4) Consent and Transparency, all personal data can only be collected and stored if the citizen opts in to sharing it with the company. The company must also be honest with what the data will be used for. The GDPR also requires the data to be protected from data breaches.
With the GDPR being an institution of the EU, many people and companies in the U.S. are completely unconcerned by it. However, that kind of thinking is disadvantageous and potentially dangerous. According to data privacy expert and former SVP of Enterprise Privacy Compliance at Bank of America Jodi Daniels, if you receive any data belonging to an EU citizen or resident you are subject to the GDPR. This even includes employees, as according to the GDPR employee data is personal data. This puts American companies at risk of being hit with a hefty fine of up to 20 million Euros or 2-4% of global turnover, whichever is greater. Additionally, GDPR regulations will grow to be the expected as large enterprises change their policies to meet its requirements. This means that being an early adopter of GDPR regulations could provide your company an advantage in the marketplace.
The GDPR is a massive undertaking by the European Union, containing 99 articles, and is 88 pages long. It took the EU two years to get their companies prepared, and has replaced ancient laws from the long past decade of the 90s. It’s quite possibly the new standard for data protection and privacy laws for the Internet, and like all the terms and conditions you’ve agreed to over the years it should be read and understood.
