Likely, you saw plenty of headlines as the final May 25, 2018 deadline approached. Just more alphabet soup? You may have ignored the article content as soon as you discovered that this was the name of European Union (EU) legislation.
What is it?
General Data Protection Regulation – protects data and privacy for EU residents (individuals), who are referred to as “data subjects”. Provisions cover collection, protection and retention of personal data.
Who does it apply to?
Any business doing business with an EU resident, regardless of where the business is located, as long as personal data is collected and stored. Yes, this means US companies must comply if they conduct certain activities that involve EU individuals. This involvement can mean customers, vendors, employees, former or prospective employees, contractors – essentially any live person.
What is considered personal data?
A broad brush definition that encompasses almost anything that can be tied back to an individual – a far broader net than just direct or indirect financial data. Other information examples are health data, biometrics, addresses – physical and email, cookies, photos, government document numbers. Personal data used by natural persons for purely personal or household use, such as the private use of social media, is not covered by GDPR.
What business functions imply GDPR-subject activities?
Offering goods or services-whether free or paid, monitoring personal behavior and research, marketing activities, storing personal data.
What are some of the rights of “data subjects”?
Foremost is the “right to be forgotten”. In general, more visibility into and control over their personal data in the hands of businesses (“data controllers”). This involves learning what specific data has been acquired, to obtain a copy in an easily-accessible format, the ability to correct any misinformation, and the right to request personal data be erased.
What happens if you do not comply and are caught?
Significant fines, in short. For first level offenses, the greater of 10 million euros or 2% of annual worldwide revenue. Second-level offenses carry fines of the greater of 20 million euros or 4% of annual worldwide revenue. Also on the table are reputational damage and lawsuits from individuals resulting from breaches.
This post hit a few highlights to entice you to reconsider whether your business has some GDPR-compliance work ahead. While it is tempting for US companies with little to no international operations (fewer and fewer of these truly exist anymore) to ignore GDPR, it is hard to argue that even compliance improvements will not vastly enhance data-security practices. With massive data breaches hitting headlines almost weekly, and many with monumental implications, such as Equifax and voter fraud, the US will certainly enact much more stringent data security requirements in the near future. Why not get moving now?
We expect to expand this discussion on GDPR compliance in subsequent posts, including reviewing some of the specific responsibilities and requirements under this legislation.