This past spring, the EU sought to bring about the most significant change in data security policy that we’ve seen in recent history. The General Data Protection Regulation (GDPR) is a set of regulations that govern how the private information of consumers across European states is handled by businesses and other organizations.
The degree of regulations over the use and collection of personal data is unprecedented and helps to ensure that businesses of all types and sizes are providing the highest level of security and privacy protection. In a digital culture where consumer privacy has become a hot topic, this move by the EU is significant.
Any business in the EU that doesn’t comply could face serious financial consequences. Of course, it’s critical for EU based companies to be compliant with the GDPR, but what about multinational companies? Aren’t U.S. based businesses that have no direct business operations in the EU exempt for the GDPR?
Not necessarily. Here’s what you need to know.
Understanding the GDPR
The GDPR is a piece of legislation that was approved in 2016, but just recently went into effect in May 2018. Its intent is to replace a previous EU law titled the Data Protection Directive which went into effect with the intent to harmonize consumer data protection rules and practices across the EU.
The primary goal of the GDPR is to give consumers greater control over their personal data as it’s collected by businesses. A few of the primary obligations under the GDPR include:
- Businesses are not able to bundle multiple consents together. For example, when a consumer clicks to give consent to share their information with one business entity, that consent cannot reach further to include additional uses or sharing of their information. Each individual condition of consent must be agreed upon separately.
- Furthermore, any person who is 16 years of age or younger must have a parent, guardian or person holding parental responsibility opt into the data collection on behalf of the minor.
- Additionally, any breach in data protection must be reported within hours to the company’s data protection authority who then must, without delay, notify customers of the breach.
These are just a few of the obligations outlined under the GDPR. The regulations in the GDPR also apply to some companies operating outside of the EU that offer goods and services to customers within the EU. This includes some U.S. based companies.
How Are Businesses in the United States Affected by the GDPR?
Some U.S. based businesses that participate in the exchange of private consumer information and transfer of funds with customers in the EU may be subject to GDPR compliance. This includes businesses that specifically target EU based customers.
For example, if a person belong to an EU nation does an internet search and happens to find their way to a website for a business based in the United States, that business isn’t required to be GDPR compliant unless they have specifically targeted customers in that location. In contrast, a business in the hospitality industry that was targeting EU consumers looking to come to the United States for business or vacation would be required to be GDPR compliant.
If your website is available in languages used in the EU or accepts currency from an EU nation, then you’re likely required to become GDPR compliant if you aren’t already. The good news is that business have about two years to work on compliance before facing financial penalties.
What Can Businesses Do to Prepare?
The implications of the GDPR have the potential to be very far reaching. While U.S. based businesses that engage EU based consumers have no choice but to become compliant, it’s important for all businesses to have a basic foundational understanding of what compliance entails and strive to work towards some of these standards. After all, protecting consumer privacy is never seen as being a bad thing. Here are a few steps that businesses can take to prepare for the influence of the GDPR on the global economy.
- Know your data collection and privacy policies. What type of information are you collecting, how sensitive is it and how is it being used and stored?
- Take a look at your current data protection policy and update if needed.
- Consider hiring a data processing officer. The GDPR assigns liability to data processing officers for businesses that have them. If you’re in a position where you may be affected by the GDPR, a data processing officer is a wise investment.
- Develop a clear, transparent data request process. Any consumer that submit their data on your website should be able to easily understand the intent. For example, if they agree to opt in to email updates, their information should not be used for other purposes.
- Education is key. Make sure that everyone on your staff is aware of the GDPR, compliance policies and how the regulations may affect your business.
The implantation of the GDPR is a major step forward for protecting consumers and businesses around the world. As consumers become increasingly protective of their personal data, regulations like those found in the GDPR go far in establishing trust between businesses and the consumer population.
Whether you’re affected directly by the GDPR or not, all businesses can leverage the changes in some way to further protect their own customer’s personal data. In a digital world where security breaches and cyber attacks happen all too frequently, any move made to protect consumer privacy is looked on favorably by the customers that invest their money and trust with you. Although there are challenges, there are things that we can all learn and benefit from in the GDPR.