If your business is storing or processing sensitive information from residents of the European Union – even just email addresses of EU residents – you may need to comply with the GDPR.
In April 2016, the European Union Parliament approved the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018.
The GDPR applies to any entity – even if located outside of the European Union, whether for profit or nonprofit – if that entity is offering goods or services, or monitors the behavior of EU residents. It applies to all companies processing or storing the “personal data” of EU residents, even if the company is located outside of the European Union.
The penalties for noncompliance with the GDPR can be extremely harsh: Up to 4 percent of annual global revenue.
Here are several key takeaways:
- Which companies must comply? All companies that process or store information about residents of the European Union. The GDPR contains language distinguishing between companies that employ more or less than 250 employees. However, even companies with less than 250 employees must still comply if they process certain types of sensitive personal information.
- The “Personal Data” definition is very broad. Personal data is defined as any information “that can be used directly or indirectly to identify the person.” The GDPR states that it can be “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
- Clear consent is key. The GDPR clarifies that companies can no longer use lengthy terms and conditions to bury consent to use a person’s personal data. Instead, consent must be given in an intelligible and easily accessible form. A company must also make it easy for a person to withdraw consent.
- Data breaches must be reported within 72 hours. The GDPR requires rapid reporting of a data breach to the appropriate authority within 72 hours of an incident.
- The right to know how the data is being used and the right for it to be forgotten. Many companies collect email information and preferences of customers using their goods or services and may even pass that information to other entities. Under the GDPR, a customer now has a “right of access” to know how their information is being processed, where, and for what purpose. Further, a customer may also demand the “right to be forgotten.” This means a customer can demand a company stop processing their data and under the GDPR, the company must quickly act to erase the customer’s information.
With serious penalties, any company with a customer-base located in the European Union needs to begin researching whether the GDPR has implications for their business. Depending on the manner in which your company processes data, there may be additional requirements including creating the role of a Data Protection Officer.
Taking steps now can ensure that your business will be compliant by May 2018. At a minimum, each impacted company should develop:
- Consent opt-in language that complies with the GDPR for their website;
- A process for storing and managing EU resident data; and
- A strategy for how data will be managed within your organization, including opt-out processes.
While onerous, the GDPR’s May 2018 deadline also allows many companies to do a checkup on their privacy policies online to ensure compliance not only with the GDPR but also with the Federal Trade Commission’s privacy guidance.