In today's world of data breaches and overly personalized advertisements, many consumers are understandably concerned about the way companies collect, store and use their personal data. A Pew Research Center study found that the majority of Americans feel they have little control over the information various organizations have about them: 62% of respondents don't believe it's possible to go through daily life without businesses or the U.S. government collecting data on them.
Lawmakers have heard and responded to these concerns in recent years by passing regulations for how personal data about individual citizens can be processed, stored and used. The most notable of these laws are known collectively as the General Data Protection Regulation, which went into effect in 2018. The European Parliament and the Council of the European Union established the GDPR to ensure greater protection of individual rights of EU members. Noncompliant companies face fines of up to €20 million or 4% of their annual revenue, whichever is larger.
American small businesses, which are also expected to comply with the California Consumer Privacy Act, aren't exempt from the GDPR just because it's EU-based. These laws impact all corporations handling the data of European citizens, regardless of where they're based. In other words, companies in the United States that possess data belonging to a citizen of the European Union must ensure they comply with the GDPR. Failure to comply could result in fines on the same level as any brand operating within the EU.
What is GDPR?
While the ways companies harvest, extract and utilize data have evolved quickly in recent years, the laws protecting a person's information was lagging behind the growth at the time of the GDPR's introduction. The stricter regulations enacted a number of major changes as to how personal information is handled and outlined in comprehensive terms that apply to all facets of personal data use.
The GDPR is based on the idea that EU citizens have a right to know what data about them is being held, how it is being used and what will happen to it in the future. They also have the right for their personal data to be deleted if they request it.
While the GDPR itself is relatively new, the principles behind it aren't. They're essentially updated versions of the principles set forth in the Data Protection Act of 1998. These are the basic principles of the GDPR:
- Lawfulness, fairness and transparency: All personal data that companies collect must be processed lawfully, fairly and in a transparent manner. This means you must get proper consent from the customer and explicitly tell them how you're going to use their information.
- Purpose limitation: Any data you collect should not be further processed beyond the specific, legitimate purposes you explained to the individual providing their data. Exceptions include archiving data in the public interest, for scientific or historical research purposes, or for statistical purposes.
- Data minimization: Your business should only collect the minimum amount of relevant data you need for your purposes.
- Accuracy: All personal data your organization stores must be current, and you must make reasonable efforts to keep your records up to date. You can't stockpile outdated records for potential use in the future.
- Storage limitation: Your company should not keep personally identifiable data for longer than is necessary.
- Integrity and confidentiality (security): Your company must establish advanced protection systems and data encryption processes. You also need to assign a designated employee to manage and maintain security.
- Accountability: When it comes to breaches of GDPR, businesses are guilty until proven innocent. You are responsible for showing you followed all stipulations outlined in the regulations. Cases can be built on a lack of evidence of GDPR compliance, not just proof of something actually going wrong. You are also required to report breaches of data, such as theft, to the authorities immediately.
To understand exactly what your obligations are under the laws, you can view the official GDPR documents available online.
What kind of data does the GDPR cover?
The GDPR laws apply to any uniquely identifiable personal data you may wish to acquire or store. To qualify as "personal data" under GDPR, the information must be related to an identifiable natural person. In essence, if the information you have can be used to directly or indirectly identify an individual person by reference to their "physical, physiological, genetic, mental, economic, cultural or social identity," it counts as personal data and is covered under the GDPR.
These are some examples of personally identifiable information:
- IP address
- Financial information
- Religious or political affiliations
- Genetic or biometric data
What is not covered by the GDPR?
The GDPR does not cover any information that is "not, or is not intended to be, part of a filing system," such as unstructured paper records, nor does it cover personal data relating to a deceased individual.
Anonymized data – that is, personal data that has been rendered to make the data subject unidentifiable – also does not fall under GDPR laws. For example, if you strip all the names, addresses, and contact information from your data set and simply have your customers' genders and ages, that data set would be considered anonymized. However, pseudonymized data (where personally identifiable information has been replaced but not eliminated) still counts as personal data under GDPR.
What is the difference between the GDPR and the CCPA?
The California Consumer Privacy Act is a U.S. regulation that passed shortly after the GDPR laws and serves a similar purpose to the EU regulations. The biggest difference is that the GDPR emphasizes "privacy by default" by requiring prior consent before data is collected.
The CCPA does not stop companies from collecting data; instead, it allows California residents to request information about themselves that has already been collected and to opt out of future collection. The CCPA allows consumers to request access to their household data in addition to their personal data, whereas the GDPR only governs individual information.
How can the EU fine an international company for noncompliance?
Many companies that carry out business within the U.S. will undoubtedly ask why they have to comply with rules of a governing body that operates far outside of their jurisdiction. The GDPR only applies to members of the European Union, so if you aren't collecting data on EU citizens, you are not liable. However, if you offer your products or services to countries in the EU and, therefore, are actively engaged in taking data from the continent, you are responsible for GDPR compliance.
But how can the European Parliament slap you with fines from over 3,000 miles away and expect you to pay it?
This depends on the situation of your company. If you are an American company but have a physical location within the EU, this is where the courts will take their action. If you have no presence in the EU, it becomes harder to enforce, but not by much. The European courts have a strong relationship with the U.S. government, and much of the GDPR is bound to international law.
While there are no actual policies in place to deal with specific GDPR measures, it is widely accepted that, due to long-standing levels of official cooperation between U.S. and EU data protection authorities, the U.S. will support any cases of GDPR infringement made against American corporations.
Therefore, if you are found to be in breach of the GDPR, penalties will be levied against you. If you fail to meet the demands of the European data protection authorities, the U.S. government will enforce the ruling.
The bottom line? You cannot avoid the GDPR's impact by sheer distance between your company and the governing body.
How can American businesses ensure compliance with GDPR?
Any noncompliance detected by supervisory authorities (who work to enforce European Parliament rulings) will be met with legal action. SAs will investigate any suspicion of noncompliance (tipoffs from workers or third parties, the occurrence of data breaches, complaints from clients or customers, etc.) and have the power to issue warnings, audit your business or take further action.
There are two basic steps a U.S.-based corporation needs to take with regard to the GDPR:
- Identify whether or not you are using EU citizen data.
- If so, make any necessary changes to ensure compliance.
The concepts are far more straightforward than the actions required, of course. Identification of what constitutes EU data can mean trawling through vast amounts of information. Compliance also requires much in the way of resource investment and change.
Full GDPR compliance may mean a total restructuring of company policy – especially for small businesses, because their personal data usage isn't widely scrutinized. Many businesses will be apprehensive about this kind of resource expenditure, but you can't underestimate its value when the alternative is a GDPR-based lawsuit.
Learn more about consumer data privacy regulations in this business.com guide.
Russell Smith contributed to the reporting and writing in this article.