March 1, 2023
GDPR (General Data Protection Regulation) compliance is coming on May 25th to companies that operate in the European Union or have customers there. Fines for noncompliance can run into the millions. Are you prepared? And do you even have to worry about it, if you’re a US-based operation?
If your organization at any point handles personal data of EU citizens, you must comply. There are more specific rules around which companies fall under GDPR, including having operations within the EU’s borders, having more than 250 employees, or if less than 250 employees, having frequent data processing that impacts the rights and freedoms of EU citizens – but ultimately, if you handle data of EU citizens at any point, you likely must comply.
The EU citizen must be within the EU at the time of data collection for GDPR to apply — an EU citizen on US soil does not fall under GDPR. You also must be marketing towards EU subjects in general. If you intend to do business with a citizen of the EU, you must comply with GDPR. If you have no reference to EU countries on your website or product, but an EU citizen happens to send you their data, you may not need to comply.
That means hospitality, travel, software, eCommerce, and technology companies, as well as government organizations, are among those most likely to fall under GDPR standards.
GDPR is a European Union law to regulate data protection and privacy for individuals. It applies only to citizens of the EU, but if you handle their data, that means it could extend to your operations as well. The goal behind GDPR is to provide control and security over data to citizens, while also clarifying international business regulations. It takes effect on May 25th, 2018.
It does include regulations around exporting personal data from the EU to other countries, so it could have an effect on your operations for overseas customers, if you are a service provider.
Like many compliance standards, GDPR is a bit vague, requiring a “reasonable” level of data protection, but not specifying individual controls or monitoring measures. Data may be stored for no longer than necessary for the “purposes for which the personal data are processed” (talk about vague). All personal data must be exportable, or able to move from one organization to another.
GDPR requires notification of authorities if a data breach occurs within 72 hours. Having a pre-planned reporting process is vital for notification, as you must include the scope of the breach and how it occurred. That can be tough in only three days.
Companies are only permitted to use personal data with explicit consent. Each type of data processing and use must be clearly explained when consent is given, so if you plan to e-mail customers or potential customers with marketing, share their information with partners, or store it long-term for future use, each use must come with a choice to concede that use.
Only ages 16 and up can provide their own consent, so age verification is also required. For those under 16, parental or guardian consent is required.
GDPR includes a “right to be forgotten” clause, which states than upon request, a company must purge all personal data for an individual, or remove them from automated programs and marketing. This can be difficult to guarantee in a large IT environment, especially for service providers with multiple customer tenants within a data processing system. You must be able to provide personal data upon request and allow corrections as well.
.png){kind=logo}
We're here to help you tackle what's next in your digital journey.
