May 2018 marks a major change to how data for European citizens is processed, stored and used. The General Data Protection Regulations (GDPR) are new laws established by European Parliament designed to ensure greater protection of individual rights of EU members. The news of the GDPR's imminent arrival has caught many European corporations off guard, with over half stating they were unaware of the compliance requirements. This news does not bode well for small businesses. Noncompliant companies face fines of €20 million or 4 percent of annual revenue.
Yet it is not only those companies in Europe that are in danger of experiencing disastrous financial penalties.
The GDPR laws impact all corporations handling the data of European citizens, as the regulations apply to every shred of personal data owned by a member of the European Union (EU). What does this mean? It means that companies in the United States possessing data belonging to a citizen of the EU must also ensure they comply with GDPR. Failure to do so could result in fines on the same level as any brand operating within the EU.
What is GDPR?
While the way in which companies harvest, extract and utilize data has evolved quickly over recent years, the laws protecting a person's information has lagged behind the growth. The GDPR introduces a number of major changes as to how personal information is handled. The new rules outline, in very comprehensive terms, much stricter regulations that apply to all facets of personal data use.
To understand exactly what your obligations are under the GDPR laws, you should consult the official documents available online. However, in very basic terms, this is how things will change:
Access. EU citizens have a right to know what data is being held about them, how it is being used and what will happen to it in the future. They also have the right to have their personal data deleted if requested.
Accuracy. Data accuracy regulations are more stringent now than they ever used to be. Data must be current. You can't stockpile outdated records for potential use in the future.
Consent. For whatever platform personal data is used, proper consent must be gained. This means transparent information upon the acquisition of data as to who will be viewing it and what it will be used for. For example, using the data to market without proper consent could result in penalties. The customer must be 100 percent aware of how their information is going to be used to sell them more products.
Privacy. New privacy of data rules alter a business's ability to share and access personal information. Not only does it now require high levels of consent as mentioned above, but the processes of sharing of data must be more stringently monitored.
Safety. Data protection is now serious business, even more so than it was before. Companies are required to establish advanced protection systems and data encryption processes while also assigning a designated employee to manage and maintain security.
Culpability. When it comes to breaches of GDPR, businesses are now guilty until proven innocent. You are responsible for showing you followed all stipulations outlined in the regulations. Cases can and will be built on a lack of evidence of GDPR compliance, not just proof of something actually going wrong. You are also required to report breaches of data, such as theft, to the authorities immediately.
These new regulations apply to any kind of personal data you may wish to acquire or store. From an accountancy firm holding a client's financial details to a bakery taking addresses and preferences for shipping and marketing, if it is in any way personal information, it is covered by the GDPR.
How can the EU fine an international company for noncompliance?
A lot of companies that carry out business within the U.S. will undoubtedly ask why they have to comply with rules of a governing body that operates very much outside of their jurisdiction. As stated, the GDPR only applies to members of the European Union, so if you aren't collecting data on EU citizens, you are not liable. However, if you are offering products or services to countries in the European Union, and, therefore, are actively engaged in taking data from the continent, you are responsible for GDPR compliance. As is any business that does so, anywhere in the world.
But how can European Parliament slap you with fines from over 3,000 miles away and expect you to pay it?
This depends on the situation of your company. If your business is an American company, but you have a physical location within the EU, this is where the courts will take their action. If you have no presence in the EU, it becomes harder to enforce, but not by much. The European courts have a strong relationship with the United States government and much of the GDPR is bound to international law.
While there are no actual policies in place to deal with specific GDPR measures, it is widely accepted that, due to long-standing levels of official cooperation between both U.S. and EU data protection authorities, the U.S. will support any cases of GDPR infringement made against American corporations.
The result is that if you are found to be in breach of GDPR, penalties will be levied against you. If you fail to meet the demands of the European data protection authorities, the U.S. government will enforce the ruling. The bottom line is this: You cannot hope to avoid the impacts of GDPR by sheer distance between your company and the governing body enforcing the new regulations.
What steps should American businesses take?
The deadline for GDPR compliance is only a few short months away. After the regulations become enforceable in May, any noncompliance detected by supervisory authorities, or SAs (authorities that work to enforce European Parliament rulings) will be met with legal action. SAs will investigate any suspicion of noncompliance (tipoffs from workers or third parties, the occurrence of data breaches, complaints from clients or customers, etc.) and have the power to issue warnings, audit your business or take further action.
There are only really two steps a U.S.-based corporation needs to take with regard to GDPR:
1. Identify whether or not you are using EU citizen data
2. If so, make changes to ensure compliance
The concepts are far more straightforward than the actions required, of course. Identification of what constitutes EU data can mean trawling through vast amounts of information. Compliance also requires much in the way of resource investment and change.
To be fully GDPR compliant may mean a total restructuring of company policy, especially for smaller business where personal data usage isn't widely scrutinized. This kind of resource expenditure is something many businesses will be apprehensive about performing, yet its value cannot be underestimated. Being caught up in a GDPR-based lawsuit without proper evidence of compliance is going to cost your company. Don't let that happen.
To learn more about how you can be GDPR complaint, fellow Business.com contributor Alex Bennett has written this guide.