Today marks the first day that the European Union’s General Data Protection Regulation (“GDPR”) goes into effect. Below is a brief summary of what you need to know:
- Who needs to comply? All companies that process or store “personal information” about residents of the European Union. Personal information” is defined under GDPR as any information “that can be used directly or indirectly to identify the person.” The GDPR states that personal information thus can be “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” Essentially, if you have customers or employees based in the European Union, you likely need to look into complying with GDPR.
- This is day one – what exactly do we need to do immediately? There are a number of ways that GDPR can touch on your organization both online and offline. The primary focus of GDPR, however, is that you must obtain the clear consent of European Union residents before storing or processing their personal information. GDPR requires that you tell these individuals exactly how you plan to use their information in clear and concise language. Thus, many U.S. based companies will need to take steps to update their online privacy policies. You will also need to create clickable “consent” opt-ins online for any fillable form. This is in addition to other steps “offline” that must be taken.
- Wait, we aren’t in Europe so why should we bother with this? Even though your company is not based in Europe, the GDPR was written with the intention of grabbing companies outside of the European Union and forcing compliance. GDPR has a noncompliance penalty of up to 4% of annual global revenue. The best practice is to work toward compliance until more legal guidance is issued in the form of lawsuit challenges to the regulation or additional regulatory frameworks are created. Many companies, realizing that segregating data generated by European Union residents can be difficult, have opted to create universal privacy policies that apply to both U.S. residents and European residents.
While challenging, the upside to GDPR is that it is forcing many companies to take a look at how they are processing information they collect on customers and clients. More information on GDPR can also be found in this related WR Legal Blog post.