European GDPR Catching Many US Companies Off Guard
If the answer to any of the below questions is “yes” then like it or not, a complex new regulatory framework imposed by the European Union called the General Data Protection Regulation (GDPR) likely impacts your company and you have until May 25, 2018 to get compliant.
- Have citizens of countries in the European Union (EU) registered with your company’s website and provided their personal information?
- Does your website or mobile application track the IP address or geolocation of an individual user who might reside in an EU country?
- Do you have a company website that accepts orders in European currencies? (not just countries on the Euro)
- Does your company have employees in EU countries?
- Does your company employ contractors in EU countries?
- Are you planning to expand to new markets in EU countries?
According to Forbes, the the law applies to “any company that collects data on EU residents. That means that if you want to do business in Europe you have to invest in compliance… and the penalty for noncompliance is a hefty fine of up to €20 million, or 4% of annual global revenue – whichever number is higher.”
Here are a few highlights of what your company faces if they want to do business in Europe going forward:
- A financial transaction does not have to take place for GDPR regulations to kick in, it applies as soon as you collect personal information.
- If a breach occurs, you have only 72 hours to provide notification.
- Your company may have to engage a Data Protection Officer to help mitigate risk.
- Any EU resident can request a complete list of all the data they have on them.
- EU residents can demand you erase all information you have on them and you have only 30 days to respond.
- GDPR requires that a user provide “clear and unambiguous” positive consent that it is ok for you to collect data on them.
- Consent should be kept separate from other terms and conditions.
- Pre-filled opt-in check boxes or other default forms of consent are not allowed.
- Under some circumstances, individuals must be allowed to place restrictions on how you use their data.
- You will need a disciplined approach to delete or de-identify personal information as soon there is no longer a valid business reason to keep it.
- There are stricter rules about gathering personal information on users under age 16 which require “reasonable efforts” to gather parental consent “taking into consideration available technology”
- You probably will have to put data protection agreements in place with any other company you give access to the personal information you’ve collected.
- You will likely need to conduct regular audits of your efforts to get and stay compliant to show regulators you are serious about protecting data privacy.
References and Additional Reading on GDPR: