Later this month (May 25th, to be exact), the European Union’s General Data Protection Regulation (GDPR) goes into effect, and, with it, will usher in the single biggest change for data security in history. Some of the more famous provisions of the act are:
- “Right to be Forgotten” – any company must immediately delete irrelevant or factually incorrect or misleading information about EU citizens that appears on a website upon request.
- Reporting – a company must report any data breach within 72 hours, regardless of size or severity.
- Data Protection Officers — companies need to designate a point person as the Data Protection Officer, who will report to the EU on issues related to GDPR compliance.
- Fines for Non-Compliance – Severe fines for non-compliance, up to 4% of annual global revenue for an offending company
The truth is that GDPR regulations apply only to EU citizens, but the reach goes further than Europe. If your company is based in North America, you are not immune from compliance.
First, the obvious. If your company is based in North America but does business (either direct sales, supply procurement, or even hiring of European citizens for full-time or part-time help) in the EU, you should already be planning or have already implemented steps to comply with GDPR.
Well, it may be obvious, but the fact is, that the statue is a bit vague on who and under what circumstances the act protects. (And, of course, the rules by which companies will be audited and fined have yet to be determined.) Certainly, multinational companies that sell in the EU are bound by the act’s provisions, but more importantly, any company that collects, receives or retains the identities of an EU citizen for any reason will also need to comply with GDPR standards. That means that any personal information of an EU citizen that ends up in your enterprise system for any reason (even if it as simple as a web visitor from Amsterdam browsing your website and downloading a whitepaper) must be protected under the statute.
Data privacy is obviously a huge topic these days and GDPR is the first of what will likely be many laws that will be enacted worldwide to protect the privacy of autonomous citizens.
Even American companies that don’t actively sell in the EU should pay close attention to GDPR for the following reasons:
- Your enterprise may be collecting personal information about EU citizens through cookies or other marketing activities
- Suppliers from the EU may be exposing personal information to your company by naming procurement or purchasing officials by name
- Complying with GDPR regulations will be a competitive differentiator and set you apart from other companies that will have to scramble as new and similar provisions get enacted in other jurisdictions
Fortunately, there are things that you can do to prepare for increased data privacy rules, even if you aren’t subject to GDPR standards immediately.
Here are a couple of links from our trusted partners: