There’s an urgent data privacy and security deadline looming on the horizon that could impact thousands upon thousands of US businesses. The trouble is that a significant percentage, which includes many small and mid-sized companies, is either unaware of or unfamiliar with the General Data Protection Regulation (GDPR), or thinks Europe’s most significant changes to data privacy and security in twenty years doesn’t apply to them–when, in fact, they may.
Your questions answered
Here, in part one of a series on subject, we provide an overview of the GDPR, and answer common questions smaller American firms are asking, including what it is, when it takes effect, to whom it actually applies, and potential penalties for non-compliance (hint: think high, harsh and unprecedented).
Future posts in this Primer series will familiarize you with other vital aspects of the new regulations, including key data privacy/security terms, protection mechanisms, and steps for preparation, as well as ongoing compliance.
What is the GDPR?
Established by the EU Parliament, the General Data Protection Regulation replaces the 1995
EU Data Protection Directive, which, for the most part, did not regulate companies based outside the European Union. At its core, the GDPR is intended to provide greater data privacy and security protections to persons located in the EU’s 28 member states, and to give these citizens and residents more control over their personal information’s entire ‘lifecycle,’ including how it’s collected, processed, stored and destroyed. The new regulations take effect in the US on May 25, 2018.
Who must comply?
The actual scope of GDPR’s data privacy and security requirements is lengthy, nuanced and fairly complex, and should be clarified in full with an IT Managed Services Provider or other security and compliance expert. Generally speaking, however, if you target Europeans in their country’s language via a website (using say Germany’s .de domain suffix), refer to EU users or customers in copy, or process EU citizens’ or residents’ ‘personal data,’ your company is subject to the new law (and here’s the kicker) even if no financial transaction takes place (e.g. a survey). Even if your customers’ customers serve Europeans, you may be subject to GDPR’s long territorial reach.
Forbes says that the most likely U.S.-based business types to fall under GDPR’s territorial scope, include hospitality, travel, logistics, e-commerce and software services.
Forbes also warns that “EU-directed online marketing forms and interactions will have to be adjusted to obtain explicit consumer consent.” In the language of the GDPR itself, consent must be ‘freely given, specific, informed and unambiguous.’ (We’ll cover how EU regulators define ‘consent,’ ‘personal data,’ and data ‘controllers’ vs. ‘processors’ in a future post).
What is the penalty for non-compliance?
If regulators find a company in violation of the new framework, the potential penalty is harsh–so stiff in fact (and this is not hyperbole) that it poses an existential threat for most small organizations: $24 million US dollars or 4 percent of global revenue, whichever is highest. Moreover, they could be barred from working with customer data until operations are brought into compliance.
‘Added strain’ on cybersecurity teams
This GDPR’s new level of compliance is “sure to put added strain on internal security teams already struggling to keep pace with the ever-evolving criminal underworld that's making hefty profits selling stolen personal data,” cautions the Forbes Technology Council.
And while it’s true that the GDPR won’t immediately affect all U.S. businesses, those who must comply find themselves in the 11th hour–possibly in need of an IT Managed Services Provider
(IT MSP) to provide last minute guidance, security solutions or infrastructure upgrades.
Review GDPR’s 11 Chapters and 99 Articles in their entirety and check back soon for the next post in our GDPR Primer series.