What U.S. Businesses Need to Know About GDPR
posted on
On May 25, 2018, new regulations governing the use of personal data belonging to citizens of the European Union will go into effect. The General Data Protection Regulation (GDPR) is designed to protect the privacy of EU citizens but will also have wide-ranging implications for businesses worldwide. According to a survey on GDPR preparedness by PwC US, 77% percent of U.S.-based companies expect to spend $1 million or more to meet GDPR requirements, and 9% percent expect to spend more than $10 million. Here’s what U.S. businesses need to know about GDPR.
What Is GDPR?
GDPR is a set of rules that governs how personal information of EU citizens is collected, processed, managed, or stored.
The goal of the GDPR is to give EU citizens more information and greater control over how their personal data is used by ensuring that they know, understand, and consent to the data collected about them. That includes the right to explicitly consent to every use of personal data, the right to see what data is used, and the right to limit or discontinue that use.
The EU has always considered data privacy important, but the GDPR establishes new rules of compliance, and new, more severe penalties for violations. The GDPR allows for several different levels of fines for non-compliance, with the maximum being 4% of a company’s annual global revenue or €20 million, whichever is greater.
Personal data protected by GDPR includes any information relating to an identified or identifiable person, including:
- Name
- Address
- ID number
- Health information
- Racial or ethnic origin
- Sexual orientation
- Political views or affiliations
- Religious beliefs or affiliations
- Genetic data
- Biometric data
- Location data
- IP address
- Cookie data
- RFID tags
Truly anonymous data that cannot be connected to a person in any way is exempt from GDPR, but that data must use a thorough anonymizing process that does not enable the data to be re-identifiable. In addition, the GDPR only applies to EU citizens who are residing in one of the 28 EU member states.
GDPR Terms to Know
- Territorial scope: This defines the jurisdiction of the GDPR, which covers not only businesses based in the EU, but any entity that processes data related to the offering of goods and services to indivduals in the EU, or the monitoring of EU citizens.
- Personal data: Any type of data that can be used, either alone or in combination with other data, to identify a person.
- Data controller: Any person, company or other entity that decides how personal data is collected and used. Under GDPR, data controllers are required to clearly inform data subjects about how their personal data will be used, and maintain detailed internal records of what data they collect and how they are using it.
- Data processor: Any entity that is responsible for collecting, storing, modifying, recording, or processing data on behalf of a data controller.
- Data protection officer: This position is required for enterprise-level companies that collect or use information on EU citizens, and is responsible for the organization’s data protection strategy, educating employees on compliance requirements, performing privacy audits, and reporting on privacy issues to company management.
- Right to be forgotten: The right to have personal data or content deleted or removed.
Who Is Affected by GDPR
For U.S. businesses, one of the most important aspects of the GDPR is that it does not only apply to EU businesses—any entity, anywhere in the world, that collects, uses, or processes the personal data of EU citizens must be compliant with GDPR.
The new GDPR regulations will affect your business if you:
- Use any personal data from EU citizens
- Collect email addresses from and/or send email to subscribers in the EU
- Process data from EU citizens on behalf of another entity, i.e., as a subcontractor
Suggested To-Dos for GDPR Compliance
- Determine whether your company collects or uses ANY personal data from EU citizens. Remember, if you have a website, it can be accessed by anyone regardless of location, so some of your customers or users may well be citizens of the EU.
- If you discover that you do collect or process the data of EU citizens, do a data audit to identify all types of personal data your company collects, stores, or processes. Identify what data you have, where it is located, what you use it for, and how long you need to keep it in your system.
- If your company sends email to EU citizens, you should review your email processes and either create a separate signup system for EU subscribers, or change all opt-in practices to comply with GDPR.
- If your company processes or collects a large amount of sensitive data on EU citizens, the GDPR requires that you appoint a data protection officer.
- If your company uses data from EU citizens, make sure your privacy policy explicitly describes how that data is collected and used, rather than using vague phrasing such as “to improve your experience” or “for research.” Any changes to privacy policies must be communicated to users on an ongoing basis.
- Under GDPR, any EU citizen that has given consent for their personal information to be used may revoke that consent at any time. They also have the right to know what information you have, and to request that the information be changed or deleted. That means if your company uses data from EU citizens, you must have the ability to identify, access, edit, and delete individual user data, and to do so free of charge and within 30 days of the request.
- Review the process you use to obtain consent from your customers for the use of their personal information. Data subjects must be asked to check a box or otherwise indicate their consent to have their data used, and must be given the option to approve or decline each type of use and to review and track their preferences.
- If your company uses data from EU citizens and experiences a data breach or security incident, the GDPR requires that you report it within 72 hours of becoming aware of it.
Additional resources on GDPR, how it may affect your business, and what you need to do to prepare:
- From New York University School of Law’s Program on Corporate Compliance and Enforcement: The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data
- From Compliance Junction: GDPR for U.S. Companies
- From HIPAA Journal: GDPR Compliance for U.S. Companies
- From Microsoft: Preparing for a New Era in Privacy Regulation
- The full text of the GDPR