Remember getting a bunch of emails in May from websites changing their privacy policies? You can thank the GDPR. Enacted by the European Commission, the GDPR (General Data Protection Regulation) is a law in the European Union that seeks to give individuals more control over how organizations store and use their personal data.
The GDPR has much more significant implications for your U.S. business than a few annoying emails, however. Unfortunately, 84% of U.S. companies confess that they don’t understand what the GDPR means for their business.
In this article, we’ll discuss the impact that the GDPR is having on companies in the United States. We’ll also cover what steps you should take to address that impact.
GDPR: What It Does and Who It Affects
The goal of the GDPR is to strengthen the protections that EU citizens and residents have over their personal data. This includes any information that organizations can use to identify a unique person. We’re talking about names, physical addresses, email addresses, ID numbers, and even online identifiers such as IP addresses and cookies.
In particular, organizations must be able to justify why they are storing personal data, and delete the data when it no longer has a justifiable business purpose. Organizations must also be transparent about how they use this information in response to an inquiry.
The guiding philosophy of the GDPR is that people, not companies, have ultimate ownership and control of how their personal information is used.
One of the biggest stipulations of the GDPR—and one that far too many U.S. companies are unaware of—is the fact that it doesn’t just affect businesses in the EU. Every organization that stores the personal information of EU citizens and residents must comply with the terms of the GDPR. Or, they could face the potential penalties: fines up to 4% of annual revenue or 20 million euros, whichever is higher.
Companies that refuse to comply with the GDPR will be effectively shut out of the EU market, with an estimated population of 508 million people. This makes the GDPR’s impact effectively worldwide.
Because the EU is so large, it’s a near-certainty that any company over a certain size will do business with an EU national. That’s especially true for those that operate online.
GDPR: How It Affects Your Business
The GDPR has come into effect in May 2018. Therefore, your company should already be in compliance—or at least taking steps to do so. The sooner you prove that your business is GDPR-ready, the less likely you are to face penalties and fines.
Many websites have chosen to display a notification the first time that a EU user visits the site. This window either informs visitors how their data will be used, or asks them for their explicit consent to use their data in a certain manner (such as for marketing purposes).
Once the company collects this information, they must store it securely to minimize the risk of a data breach. In the event that a cyberattack does occur, you must notify an EU regulator within 72 hours of discovering the breach.
The GDPR has undoubtedly had an impact on the operations of U.S. companies with a strong web presence. Organizations that understand the GDPR requirements and take action will be able to thrive in this new regulatory environment.
Understanding GDPR with EaseTech
Have more questions? No problem.
Talk to an expert in online data privacy and security to see how you can make your business compliant with GDPR today.