What is GDPR?
On Friday, May 25 the General Data Protection Regulation (GDPR), a new European law, went into effect. While it primarily applies to European Union (EU) countries, under certain circumstances it will also apply to many others, including the United States (US), even if you don’t do business in Europe.
This may be as surprising to you as it was to me, according to HowToGeek.com “Since the dawn of the Internet, companies have been gathering as much data as possible on anyone they can. It’s simple to collect that information, so there’s no reason for them not to hoard it.” And hoard it they have, used it to sell their products and services, and in many instances sold it to third parties.
The GDPR is designed to protect EU citizens’ personal data from misuse. Wikipedia asserts that “According to the European Commission personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” Personal data includes biographical data, education, work history, genetic data as well as things like your call history, private messages, or geo-location data.
While data abuse recently came to the forefront with the Facebook/Cambridge Analytical scandal, the EU has been working on legally protecting data for decades. The EU’s GDPR replaces its predecessor the Data Protection Directive which went into effect at the end of 1995. The difference, GDPR is an enforceable regulation (a law), not a directive. The law is enforceable because the US and the EU have trade treaties that enable enforcement, prosecution and the levy of fines on US companies.
How does GDPR affect US companies?
If a US company has a website, and who doesn’t, it is accessible to the whole world, including citizens of the EU. If a US company website is visited by an EU resident and data is collected, it is required to follow the rules of the GDPR.
Beginning on May 25, any organization covered under the GDPR and is not compliant faces the possibility of fines of up to $26,589,740 (£20 million) or 4% of global annual turnover - net sales without VAT (Value Added Tax) - whichever is greater. That’s not inconsequential.
In our next blog, learn how marketing will be impacted by GDPR.