Understand that if you do business online, the GDPR may apply to you. This new data-protection law applies to any size business - even if you have no direct E.U. operations or staff.
Similar personal data protection legislation is being developed here in the United States.
Responsible data management is about protecting your brand and your business. Every day we see new headlines about a data-breach or personal data sharing due to incompetence or unethical behavior – think Facebook & Cambridge Analytica. Enforceable data-protection laws with significant penalties for violators are necessary and should be embraced by businesses.
So, what is the GDPR? The GDPR (General Data Protection Regulation) is a new law designed to protect the “personal data” of E.U. citizens – including how the data is collected, stored, processed and destroyed. This E.U. law goes into effect on May 25th, 2018. The definition of ‘personal data’ under the GDPR far exceeds that of the U.S. and encompasses ‘information relating to an identified or identifiable natural person’. This includes data such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. It even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.
Obviously GDPR impacts U.S.-based multi-national companies. If you are a US-based company with no direct operations in the EU it likely applies to your business too.
US-based businesses with no employees or offices within the boundaries of the EU are subject to GDPR. And, under Article 3 of the GDPR, your business can be liable even if no financial transaction occurs. If your U.S. based organization communicates with and/or solicits members online with some of them residing in the E.U., you are likely subject to the GDPR. However, if your organization operates online or uses Google Adwords and an E.U. resident stumbles upon your webpage, it is unlikely that the GDPR applies. Simply put, if your organization actively fosters relationships with E.U. residents, GDPR applies.
Consequences of Non-Compliance
The GDPR imposes significant fines for companies that fail to comply. Non-compliance penalties and fines can be 2-to-4% of a company’s global revenue. The forth-coming U.S. legislation promises to be just as potent.
Protect your organization from becoming a headline. If you market online, it is vital that you initiate risk assessment and initiate an action plan now.
Prepared by Chris Lowers, May 10th 2018