American-based businesses wondering whether the new European Union General Data Protection Regulation (GDPR) applies to them should know this: it does. Even if you are just a small- or medium-sized business that currently has domestic customers, you need to be aware of what is happening with this important change to the Internet and what it means to your business. After all, even websites of the smallest U.S.-based businesses can be accessed by global audiences.
Introduced in April 2016, the General Data Protection Regulation (GDPR) becomes enforceable as of May 25, 2018. Its goal is to protect data and provide privacy for all individuals in the European Union. This includes personal data that may be exported outside the EU. The GDPR effects how personal data is processed, stored and transferred.
Why was GDPR introduced?
This new regulation replaces the Data Protection Directive and gives EU citizens and residents control over their personal data. It is intended to simplify the regulatory environment for international business and unify regulation within the European Union. It is important to understand that the GDPR is a regulation, not a directive. Thus, it does not require national governments to pass any enabling legislation. It is directly binding and applicable.
Does GDPR impact businesses in the United States?
Yes. It impacts businesses all over the world. The GDPR applies to any business, organization, company or media group regardless of location or size that processes personal data of EU citizens or residents, including temporary residents.
If you question whether your business needs to be in compliance, consider the following:
- Does your business have an affiliate or location within the EU?
- Do you conduct any business in the EU?
- Do you sell any service or product to persons living in the EU?
- Do you employ any individual residing in the EU? (This includes employees who are U.S. citizens living in the EU, even temporarily.)
- Is your business involved in the transfer of personal data to or from the EU?
- Does your company participate in research that would involve collection of personal data from EU citizens or residents?
- Does your company employ any vendor within the EU to process data?
What kind of data is included?
Data that falls under European Union General Data Protection Regulation includes the following:
- Identity information: name, address, phone number, ID number
- Personalized data: health, biometric, racial, ethnic, sexual orientation, genetic information or political stance and opinions
- Web identifiers: location, IP addresses, radio-frequency identification (RFID), cookie data
Essentially any information that would identify a person in any way falls under this regulation. If your organization knows anything about an individual and that person is an EU citizen or simply resides in the EU, you must be in compliance with GDPR.
How can I know if my business is ready for GDPR?
Again, it is important to understand that you don’t have to be an industry giant to have to be in compliance with the European Union General Data Protection Regulation. Every business, organization, company or media group that collects information is held to this new standard.
What happens if my business is not in compliance with GDPR?
No matter where an organization is located throughout the world, if they not in compliance, they will face large fines. “They can be as high as €20 million (roughly $24,715,000) or 4 percent of a company’s total global revenue, whichever is larger.” Of course, this is the maximum fine that would be imposed for the most serious of violations. However, a fine of some cost would be imposed nonetheless and a tiered approach will be taken depending on the type of violation.
How can my business become compliant with GDPR?
The steps your business will need to take depend upon the unique structure of your systems and processes as well as the customers (or potential customers) that visit your website. Becoming compliant at this time is vital and can be a massive undertaking. HubSpot offers some enlightening information via their GDPR Roadmap. This information applies to big and small B2B and B2C organizations.
At Talent Evolution, we are up to speed on that actions organizations of all types and sizes need to take be in compliance European Union General Data Protection Regulation (GDPR). If you need help navigating your business’ systems and processes or making important updates to your privacy policies, give us a call. We are here to help.