On May 25, 2018, a new set of privacy rules goes into effect in the European Union (EU). Known as the General Data Protection Regulation (GDPR), this group of strictures pertains to the EU as well as to many businesses who sell globally. It affects how sellers handle the private information of their customers, and it may have ramifications for you even if your company is not headquartered in the EU.
The Foundations of GDPR
In some respects, the GDPR was a foregone conclusion, with its roots deeply embedded into the very charter of the EU. The charter states: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” This line underscores the EU’s ongoing commitment to customer privacy. The implementation of the GDPR backs this mission with sharp teeth: those companies who do not obey these rules can be fined as much as 4 percent of their total global revenue, an amount that could seriously debilitate a business.
Why Are American Businesses Affected?
Although this is a set of rules that was created in the EU and affects companies doing business in any of the member countries, its scope doesn’t stop there. In today’s global e-commerce environment, consumer data can easily be shared in seconds with businesses outside the EU in North America, Asia, Africa and anywhere else that is connected to the internet. Since the GDPR is in place to protect the data of EU citizens wherever it may be, any U.S. companies which hold the personal data of their EU customers are subject to the GDPR. American companies who recognize that they have EU-based buyers must either comply with the GDPR or cease to sell products and services to EU-based customers.
In general, your business will be subject to the GDPR if:
- You deal in information as a commodity.
- You obtain personal data from EU customers and store it or use it elsewhere.
- You have dealings with one or more EU countries.
What Does the GDPR Entail?
The GDPR is all about protecting private data at every turn. In order for businesses to comply, they need to put procedures and personnel in place to ensure that this goal is attained. The bottom line is that customers should be able to have ultimate control over their information, including the ability to change, monitor and even delete it at any time. To that end, the GDPR urges companies to provide pseudonymization, anonymization and encryption of all data. Anonymization is the process of encrypting data or removing it so that it can never be directly linked to the customer. Pseudonymization first anonymizes and separates the data but then provides a way that it can be recovered if necessary. An example is a system that gives a customer one identifier for their browser and a second for their location. These two identifiers will not be linked to the customer unless they are put together with their separately stored date of birth.
How the GDPR Protects EU Consumers
There are several ways that the GDPR works to protect consumers. These include the following:
- Wide reach. The GDPR requires compliance from all companies that process the personal data of EU citizens regardless of where these citizens may live.
- Severe penalties. If a company fails to comply with the GDPR, it could be fined as much as 20 million Euros or 4 percent of its total global revenue. This provides significant incentive for businesses both large and small to take the necessary measures to be in GDPR compliance.
- Strong and easy-to-use consent mechanism. Consumers must be able to say “yes” or “no” to whether a company is allowed to retain or share their sensitive personal information. Consent must be given in a way that is easy to understand and accessible. The company’s purpose for keeping the customer data must be transparent, and there must be an easy-to-use procedure in place should the customer wish to reverse consent at any time.
- Mandatory notification about data breaches. If any incident occurs that has the potential to compromise customers’ rights and freedoms, official notification must be given within 72 hours of discovery. Customers must be told about the breach “without undue delay.”
- Description of consumer rights. When an EU citizen provides their personal data to a company, they have the right to get copies of the data as well as a description of how the company is using it. In addition, they have the right to erase their data or move it to another service provider.
- Systems designed with data protection in mind. The GDPR insists that new company systems be designed with data protection as one of their core principles instead of attempting to retro-fit existing mechanisms to protect consumer privacy.
- Protections for children. The GDPR is designed to protect the privacy of children, who can often be particularly vulnerable to breaches. For this reason, parental consent must be obtained before a company can ask for the personal data belonging to a child under 16.
Steps You Can Take to Prepare
If you operate internationally, protecting your EU customers’ data will soon become more important than ever. There are a few ways that you can get ready for the GDPR:
- If your website contains a form in which the customer gives permission for their information to be shared with third parties, make sure the box is unchecked. The customer must be the one to take this action, not you.
- If you have lists of subscribers, make sure that all participants have given explicit permission to be on the list.
- Be sure that everyone on your staff understands the GDPR and how it affects your customers.
- Document all customer information including where you got it, how it has been used and who requested it and why.
- Have a procedure in place for erasing customer data that is clear and is available in a machine-written format as opposed to handwriting.
- Have a procedure in place for quickly handling large numbers of customer requests related to the GDPR. You now have one month to comply.
- Clearly state to customers why you are retaining their data and what you will be using it for. They should be able to refuse at any time.
- If you process the data of children under 16, you must get a parent or guardian’s permission.
- Have a plan in place should a data breach occur. Determine how you will notify customers and who will be responsible for doing so.
In this age of enhanced privacy cumbered by data breaches, the GDPR is destined to fill a very important need for consumers in the EU and EU citizens around the world. In the upcoming months and years, many of the questions surrounding implementation of the GDPR will be answered as the policies become clarified. For now, it is advisable to understand the general framework of the regulations and do all you can to prepare should your business fall under the GDPR’s scope.