The European Union’s General Data Protection Regulation (GDPR) goes into effect May 25th, 2018.
While this data privacy regulation is made to protect EU citizens, the law will dramatically impact US businesses.
The GDPR was designed to harmonize data privacy laws across Europe and reshape the way organizations approach data privacy. In fact, it’s the most significant change in data privacy regulations in 20 years.
Organizations that do not comply may face heavy fines—up to 4% of annual revenue or over $24 million (whichever is greater). And because the law will be enforced internationally, many US businesses will be at risk.
Will it affect my business?
If you have any presence in Europe or process personal data of EU residents, then yes.
GDPR is very broad. It casts a wide net in its definition of personal data, including data like IP addresses, emails, and cookies in addition to names, addresses and other identifiers. (We think this is a good thing for consumers!)
That means that any US website that can even be accessed from Europe could be considered to be processing personal data, and is consequently part of this law.
What do I have to do?
First of all, you must gain consent to capture data by clearly stating what personal data you will be capturing, in plain language. And you must make it as easy for people to withdraw consent as it is to give it.
You must also deliver mandatory breach notifications to all who may be impacted as soon as you become aware of a data breach.
And if anyone requests a copy of their personal data, you must be able to provide it to them, free of charge, in electronic format. Similarly, if a citizen requests their personal data be erased, you must also comply.
We recommend working with a company that specializes in regulatory compliance to eliminate any risk of missing any important details.
When do I have to comply?
The law goes into effect May 25, 2018. You can expect regulators to target big businesses first, but that impact will quickly trickle down to small businesses as well.
Many of our customers have already begun to be asked by their clients and vendors to prove GDPR compliance, so it’s crucial to get moving as quickly as possible.