The new, 200+ page European Union General Data Protection Regulation (GDPR) coming into effect in May 2018 is much tougher than the current EU Data Protection Directive 95/46/EC.
(For an introduction to the GDPR from the EU regulators, watch the YouTube video.)
Big changes in the new GDPR include:
- Jurisdiction expanded to include all companies processing personal data of EU residents regardless of company location or where data are processed
- Before collecting personal data or behavioral information from any person located in an EU country, companies must obtain consent that is “freely given, specific, informed and unambiguous.”
- Persons located in the EU have a right to be forgotten including data erasure and cessation of data dissemination.
- Companies must notify the GDPR regulators of any data security breach involving persons in the EU within 72 hours of becoming aware of it.
- The GDPR provides for fines for non-compliance of up to 4% of a company's annual global sales or €20M, whichever is greater.
Which US businesses will the GDPR affect?
At the most basic level, your company must comply with the GDPR if it:
- has a significant online presence, and
- collects personal data or behavioral information – with or without a financial transaction - from persons located in any EU country.
Examples of personal data include e-mail and physical addresses, IP addresses, and health, biometric or genetic data.
With regard to where you store personal data, the GDPR covers all IT systems, networks and devices, including mobile devices. All of these must provide secure storage of EU persons’ data.
American companies that the GDPR regulators will be watching most closely are those that:
- Have a physical presence in any EU country, or
- Target persons located in an EU country by, e.g.:
- Having online content localized and/or translated for one or more EU countries, or
- Maintaining a site with a European TLD, like these:
So if the GDPR regulators might have your company in its sights, what basic steps do you need to take to demonstrate compliance?
- Don’t collect any unnecessary data from EU persons. If you have no urgent need or actionable use for a data element, stop collecting it.
- On any Web page where a user can enter personal data, require them first to acknowledge that they have read and understand what you’re going to do with their data. Which of course means you have to tell them that right there on that page, in clear and simple language - not just link to your legal department’s Terms and Conditions page. If you do this with a checkbox, it needs not to be checked by default.
- If you’re going to be doing different things with different bits of data -sending e-mail newsletters, sharing with other companies, or whatever - strict interpretation of the GDPR requires you to obtain consent for each individual use.
- Do whatever it takes to safeguard personal data of EU persons. Compliance with NIST, ISP/IED 27001 or similar established standard would probably be acceptable.
- If you’re a small company, I know complying with these kinds of standards is a tough requirement, and likely economically out of reach. Do the very best you can to safeguard those data, starting with conveying to all staff that clients’ and prospects’ personal data are sacrosanct and to be secured at all times, never taken home on a laptop, etc.
- Have a point person for data security and breach detection.
And stay up to date on GDPR developments as they roll out beginning in May.