On May 25th, a new law goes into effect in the European Union in order to protect citizens from abuses of their personal data. It is called the GDPR, or General Data Protection Regulation.
But I don’t live in the E.U., and my company doesn’t operate in the E.U.
It doesn’t matter where your company is located, it only matters where the data you have is coming from. If an individual American company has European Union data in its possession, that data must be compliant with GDPR.
What if I don’t comply?
Companies who don’t comply can possibly be fined up to 2% of their worldwide annual revenue from the previous year. That’s a pretty penny.
Ok, what kind of data are we talking about?
This applies to any data that can be used to “directly or indirectly” personally identify someone. Think Name, Email Address, Phone Number, photograph, IP address etc.
But only people in the E.U., right?
This law applies only to data collected from EU residents.
What should I do?
- Figure out what personal data you might have, and document it. Think about your website, your email marketing, etc.
- If you share any of that information, document that, too.
- Update any data collection methods you use to collect the minimum amount of personal data necessary.
- If your methods do not allow users to provide consent that their data to be collected, they need to be changed. For example, email Sign Up forms should not automatically opt users into lists. Users must have the ability to opt themselves in. You must have proof of opt-in. For existing lists that means you should delete the data, or send an email allowing individuals to re-opt in or be removed.
- Designate a Data Protection Officer if required (specific requirements noted at the resources linked below).
- Put a plan in place for data breaches. For example, how will you detect it? Who will you report the breach to? How will you investigate and correct the breach? Information on the requirements in the event of a data breach can be found here.
Ensuring compliance is the responsibility of companies. If you want to get more specific, here are two important resources: