The European Union’s General Data Protection Regulation (GDPR), one of the world’s most stringent personal data protection laws on the books, will have implications for companies in the U.S. and elsewhere.
Passed in the EU parliament in April 2016, the steep fines—up to 4% of global revenue or €20 million, whichever is greater—that can be levied for violating its precepts go into effect May 28, 2018.
Essentially, the GDPR marks a significant shift in how companies treat the data of EU citizens, requiring organizations to clearly understand what information they have about private individuals, who has access to the information, where the data resides and how it is used; and then take steps to protect that private-user data, known as Personally Identifiable Information (PII), according to an article in eWeek.
PII can include credit card numbers, Social Security numbers, birthdays and home addresses—all of which are collected online and in the course of ordinary business operations, eWeek said.
The GDPR includes a “right to be forgotten,” a 72-hour data breach reporting period, and strong ‘opt-in’ consumer consent requirements, among other provisions. “Any U.S. company that has a web presence (and who doesn’t?) and markets their products over the web will have some homework to do,” a Forbes article said. Article 3 of the GDPR says that if your company collects personal data or behavioral information from someone in an EU country when the data is collected, your company is subject to the requirements of the GDPR, the article noted.
Also, a financial transaction doesn’t have to take place for the law to be effective. PII collected for a marketing survey, for instance, is protected under the regulation. Note that a business would have to specifically target a data subject in an EU country—generic marketing isn’t protected, Forbes said. So if the marketing is in the language of the EU country and there are references to EU users and customers, a webpage would be considered targeted marketing and the GDPR would apply.
U.S.-based hospitality, travel, software services and e-commerce firms are going to need to look closely at the regulation and how it will apply to them, Forbes warned. Also, any U.S. company that’s singled out a market in an EU country and has local web content will need to pay attention. Sound like you?
– Nicholas Stern, managing editor