Think the GDPR only applies to European-based companies? Think again. This groundbreaking E.U. data security law is causing a cascade of changes to global business. you might be wondering – What is GDPR? Does GDPR apply to U.S. companies too? Should you be doing something to protect your business? We’ve listed a lot of great resources with answers for our software technology clients in this article.
What is GDPR?
The GDPR, or General Data Protection Regulation, takes effect in the EU on May 25, 2018. Some tech experts are calling it the greatest change in data regulation in 20 years because of its legal severity and potential for far-reaching effects. Just one misstep could cost your company a staggering 2% of global revenue in fines.
The law was basically enacted to protect privacy and ensure consent for data collection and distribution. It centers around the E.U.’s hot-button topic known as the “right to be forgotten,” or protection from the internet’s long-lasting archive of false and damaging information.
Does the GDPR Really Affect the U.S.?
In a word, yes. The GDPR does impact U.S.-based businesses, so don’t make the mistake of assuming otherwise. Here’s why.
In the spirit of shielding people from reputational damage, the authors of the GDPR had to look at how online data is collected in the first place. What they found was a widespread pattern of companies around the world – not just in the E.U. – gathering personal information and behavioral data about their citizens, without consent.
For this reason, Article 3 of the GDPR states that if a company collects data from someone in an E.U. country, it is subject to the requirements of the GDPR regardless of the company’s location. To be crystal clear: If your U.S.-based tech business collects any bit of personal data from an E.U. citizen, the GDPR applies.
But We Don’t Have E.U. Customers
If you don’t do business with E.U. buyers, you might think you’re in the clear. But consult with your IT director, marketing director, and data management company before letting your guard down.
The GDPR clarifies that a financial transaction does not have to take place to fall under the rule. Victims don’t have to be your customers. Collection of personal data, known in the U.S. as PII or personally identifiable information, is the GDPR’s central focus.
So let’s say, for example, you did an internet survey asking people – customers, non-customers, random site visitors – for feedback about your website. If, while taking the survey, E.U. residents provided information about their gender, age, education level, country of origin, or a wide range of other basic demographic info, the GDPR applies.
OK, so maybe you never requested demographic info, but just asked about peoples’ likes and dislikes. Even if an E.U. citizen just checked a box that said, “I enjoy reading tech news,” it would be defined as information about personal interests and fall under the GDPR. The E.U. has a broad definition of behavioral data.
Rethink Required Fields and Freebies
Some companies are realizing they’ve been collecting this kind of data about E.U. residents without giving it much thought. One common example is the info gathered for free trials and free content.
Does your tech company have a required field, like an email address, before people can read a free eBook, download a whitepaper, or try out a basic version of your service? If so, an E.U. resident may have given you personal information that’s expressly covered under the GDPR.
To keep your company covered, you’ll need to implement some new policies and procedures. It’s time to update across platforms, because GDPR requires consent to be “freely given, specific, informed, and unambiguous.”
After collection, you’ll have to keep data protected under GDPR guidelines and notify regulators within 72 hours of a potential breach. Failure to do so brings thousands – even millions – in fines. GDPR regulators will take 2% of your global revenue per incident.
Some pessimistic tech experts say the authors of the GDPR are likely interested in making a high-profile example of a U.S. business that fails to comply. Don’t let it be your company.
Here is a list of free GDPR resources to get you started.