Recently, the European Union implemented a new regulation in EU Law that is meant to help protect the data of all individuals within the European Union and the European Economic Area. The new law, known as GDPR (General Data Protection Regulation), gives Europeans visibility and control over their own private data that companies have collected.
The idea behind GDPR is that all Europeans have the right to know when their data is being collected, and that they have the right to refuse that data collection. If they agree to the collection, they have the right to control how that data is used and are able to have that data erased at a later date.
How does this affect my US business?
Many outside the EU incorrectly believe that the new regulation won’t affect them. The GDPR requires that all businesses that operate within EU member states and serve individuals within the EU must comply with the new rules — so this includes businesses and organizations located anywhere in the world, including charities and non-profit organizations. If your business is based in the US, and you sell to customers located in the EU from whom you’ve collected information, you’ll need to comply.
Even if the new GDPR regulation doesn’t apply to your business, its concepts and intentions are good ones to keep in mind as best practices for your organization outside of the EU as well. With all of the high-profile data breaches and data mis-management in the news of late, showing your clients and potential clients that you’re responsible with their personal information can provide valuable peace of mind, and build confidence in your services.
Some important details of the GDPR include:
- The processing of personal data should be “adequate, relevant and limited to what is necessary for the purposes for which they are processed.”
- Personal data shall be kept for no longer than necessary based on the reason it was collected.
- Organizations must ensure personal data is securely disposed of when no longer needed.
- Organizations in breach of GDPR can be fined up to 4% of annual global sales or nearly $23 million dollars (whichever is greater). They could also owe compensation to data subjects when their rights have been infringed.
- The organization is at fault (not 3rd party vendors) if any violations occur, so it’s important to make sure all services approved by your organization are compliant.
- In the event of a data breach, those in control of the data are required to notify their supervisory authority within 72 hours of becoming aware of it.
The GDPR is complicated and has many nuances and exceptions. This post is intended to be an introduction, and should not be considered legal advice (we’re not lawyers!), so if you have any questions regarding your organization’s duties, please contact a legal professional.
Check back with us soon for more information about the GDPR:
- How to ensure your website is GDPR compliant
- and more