The General Data Protection Regulation – more commonly called GDPR – is the European Union’s (EU) collection of privacy regulations, which take effect May 25th. The significant, broad-based legislation focuses on data security, privacy, accountability and rights for data subjects, among other things.
In simple terms, the purpose of GDPR is to protect the data and privacy of anyone living in the EU, citizen or not. It doesn’t protect an EU citizen living outside the EU.
Some of the key components of GDPR apply to consent when acquiring data; the collection and usage of data; and the removal of data when requested by an EU resident.
Here are some topline examples:
- Opt-in email consent needs to be “freely given, specific, informed and unambiguous.” Companies cannot tie opt-in consent to other action items, like a product purchase. Pre-checked opt-in boxes can also be grounds for GDPR violation. And companies must clearly state how data will be used at the point of data collection.
- Companies will need to honor EU resident requests to access, change or delete their personal data. Residents can also request that a company stop using their personal data in email marketing as it relates to profiling, targeting or personalization. These new regulations will require companies to assess how their data is currently collected, stored and used.
- Withdrawing consent to use personal data must be simple, accessible and transparent. The process of opting out must be just as easy as opting in.
- Policies for maintaining data protection and privacy must be fully documented. This includes documentation for vendors and other third-party affiliations.
Does GDPR impact U.S. companies? The answer is YES.
If your U.S. company is not up to speed on GDPR, you’re not alone. Many American companies are not aware of the impact these massive and complex EU regulations can potentially have on their business. But as globalization expands and more U.S. companies do business with customers around the world, they need to pay close attention to GDPR.
Here are 3 things that U.S. companies need to know about GDPR.
#1 - Any U.S. company that has EU resident data is affected by GDPR.
Any U.S.-based company that has EU resident data in their systems must meet the legal requirements of GDPR. This includes selling products and services to EU residents, monitoring the behavior or EU residents or collecting/storing/transmitting the data of EU residents.
The size of the company or the industry in which they do business is irrelevant. If your company handles the personal data of EU residents, GDPR must be followed.
#2 - There are big financial implications for companies that fail to comply.
Companies that fail to follow the rules can face big fines. Effective May 25th, GDPR regulators will now be able to hand down stiff penalties that are anywhere from 2-4% of the company’s global revenue from the prior year. According to industry experts, companies run the risk of receiving fines immediately.
#3 - Experts are available to help you avoid fines and become GDPR compliant.
The complexity surrounding GDPR is no joke. And the repercussions of ignoring the regulations can be significant. The good news is there are resources available to educate you on the details of GDPR and better prepare you to implement best practices. Do an online search for GDPR compliance checklist and you’ll find helpful tips.
The most important step in getting GDPR compliant is to seek legal expertise or the expertise of a GDPR compliance service offering. There are many out there to choose from.