Last Updated on May 25, 2017
Within the fascinating (I think!) and constantly evolving realm of data privacy, the next big thing is the European Union’s General Protection Data Regulation (GDPR). This data privacy regulation came into use on May 24, 2016 and GDPR compliance will be enforced starting on May 25, 2018 — one year away.
The point of the GDPR is to facilitate the smooth transfer of data among the EU member countries, within a framework that upholds the data privacy rights of EU citizens. (Note this includes UK citizens, which is adopting the GDPR even though it is leaving the EU.) Enforcing GDPR compliance is not about putting a stop to collecting data but it will have a huge impact on how data collection is done.
Businesses of all sizes that hold or process data on EU citizens, regardless of where on the planet they are located, are expected to manage their data flows and business processes in alignment with the GDPR guidelines. This includes documenting they have done so. Most likely, many affected firms in the US are currently in violation and will be subject to penalties if they don’t come into GDPR compliance.
Who Must Comply With The GDPR?
Any company that uses personal data from EU citizens or offers goods or services to them must attain GDPR compliance. Here are examples that would qualify for needing to comply with the GDPR’s information privacy rules:
- If you collect email addresses and send email to subscribers in the EU
- If your website harvests data from European citizens that you keep or sell, or if you keep records of sales made to them
- If you process or store EU citizen data as a service to your clients – you can also be held liable in the event of a data breach.
- If you sell goods or services to people in the EU
- If you collect data from mobile devices used by EU citizens while they are traveling in the US, you could be impacted (Yes, that means many marketers, even small companies, will need to comply)
What Impact Can I Expect the GDPR to Have on My Business?
Some of the particulars are bound to have a major impact on IT and marketing practices. For instance, businesses that process EU citizen data on a large scale must appoint a data protection officer. If an EU citizen no longer wants his or her private data to be processed by a company, in most cases, the data must be deleted. Believe it or not, parental consent is required for young children to use social media.
What “personal data” does the GDPR apply to? The definition encompasses anything that can identify a person, including an IP address. It also includes HR records, customer lists and automatically collected personal data—possibly even if it’s been pseudonymized (key-coded). Psychometric and profiling data, such as social media sites like Facebook frequently scrape from your web browser as a basis for targeting ads, is most likely covered. Genetic and biometric data are also explicitly covered.
What About Enforcement?
How the GDPR will work in reality is an open question, especially for US companies. We do know penalties will be significant: as much as $20,000,000 EUR or up to 4% of a firm’s annual worldwide turnover of the preceding fiscal year.
It’s critical organizations begin to understand the impact of these regulations now, before they go into effect, because establishing and documenting compliance could take significant time, effort and money. You’ll also need to review your contracts and ensure relevant third-party vendors have clearly documented policies and are in compliance. That said, the more you’re already doing to ensure data security for your customers, the better off you probably are in relation to GDPR compliance.
To talk over the ramifications of the GDPR for your organization, including training on data privacy, updating data privacy policies and assessing compliance gaps, contact Pivot Point Security.