Since May 25, 2018, citizens of the European Union have enjoyed protection through the GDPR, or General Data Protection Regulation, a pro-consumer law that strengthens the privacy rights of individuals under its umbrella. And although this legislation only applies to European citizens, as a business in the United States, Canada, or anywhere else outside of the EU, you may still be subject to its terms – that is if you gather or process relevant data from customers in the countries bound by the regulation through your marketing and/or sales efforts.
The big question: as a US-based organization, why should your organization care? Well, any violation of the GDPR results in a fine of either 4% of global revenue or €20 million, equivalent to about $23.5 million. So, with that in mind, what is the scope of GDPR and what organizations are most at risk of incurring that hefty fine?
The Skinny on GDPR
“Pretty much everyone is breaking the law right now,” said Denmark-based media analyst Thomas Baekdal in a recent interview with Digiday. “There is not a single consent dialogue box anywhere that is easy to understand. We have not really realized how much this is going to hit us. Everyone is trying to make things work the way they used to, rather than thinking about privacy.”
The GDPR changes the way user information is gathered, used, and stored. Since it came into effect less than two months ago, it’s still a new concept to many— studies show that 60% of businesses weren't prepared for the May 25 deadline for compliance.
Whereas privacy was a second thought in the past, consideration of user privacy is now built into the system. The GDPR defines user data as anything from your name, email, photos, medical information to social media posts and your computer’s IP information. Under the new law, companies must gain consent from the user for any information gathered at any point in the business-consumer relationship. The user also has the right to freely and easily withdraw their consent at any time.
How are businesses actually affected?
Many of these points were set in response to events in recent memory that have compromised personal information: breaches of Yahoo, Equifax, and UnderArmour, for example. Many of these breaches were not disclosed of until months after the fact- worsening their consequences and leaving consumers in the dark. One of the features of the GDPR now requires companies to announce data breaches within 72 hours of discovery.
Companies have an active role under GDPR. All data controllers— organizations that collect data from EU residents— must now employ a Data Protection Officer, whose job it is to make sure companies comply with the regulation. They are also the point of contact with the Data Protection Authorities (DPA), the supervisory agency that is in charge of enforcement in each EU country.
When it comes to businesses that primarily collect data from EU citizens, it is important to be mindful of the actual regulations of what you can and can't do. According to the EU's rules, lawful processing of consumer data includes situations where:
• The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Though the interpretation of these rules differ from person-to-person, the basic idea for non-EU organizations is this: if you collect any data from an EU citizen through your website, lead generation and/or sales efforts, you need to ensure that they have given consent for their data to be stored - this includes cookie tracking and email efforts.
How can businesses work towards compliance?
Though there's a staggering amount of organizations who haven't become GDPR compliant in the US, it's not as much of a concern if your client base is domestic. Don't let this ease your concerns, however - your business should continue to work towards compliance for a number of reasons, such as an EU citizen happening upon your site or future US-based regulations that mirror those of the GDPR.
To begin your work towards becoming a compliant business, first consider if you have the manpower to have someone on your own staff to head up efforts. Task that employee with consuming as much information as they can and becoming your resident GDPR expert. If you don't think you can assign the responsibility, it might be a good idea to look into network contractors or an IT consultant to assist these efforts.
The Compliance Checklist
If anyone can vouch for how confusing GDPR and compliance can be, especially for non-EU organizations, it's us here at Cobb. Because of this, we've decided to put together a succinct checklist to help guide you in your understanding of the GDPR.
The checklist, which you can download for free here, lists what we think are the top three most important factors in your work towards compliance. Compliance will touch nearly every aspect of your business, but it pays to be thorough - 4% of your global revenue, to be exact.