If you’ve noticed an odd surge of emails from companies asking you to accept their updated terms of service or asking you to opt back into their newsletter, you’re not alone. There’s a new data privacy law that’s becoming enforceable very soon.
The General Data Protection Regulation (GDPR) is the legal framework within the laws of the European Union regarding the collection and use of data from the individuals residing within the 28 member states of the EU and the European Economic Area. While the regulation was passed back in April 2016, it becomes enforceable as of May 25, 2018, hence all the recently online activity as of late.
According to the official site of the GDPR (which you may or may not be able to access because of high volume traffic), the regulation is designed “…to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” What this means is that EU citizens will have much more control of their data, and companies are going to have to be much more transparent about how they use the data.
Will this affect non-European businesses?
So, we know what you’re thinking. “How does this affect my U.S.-based small business?” GDPR matters not only to American businesses, but to any business around the globe that services any individual who lives in the countries within the EU. You don’t even have to deliver goods to or from Europe — even if you collect an email address from a European website visitor, your business must be GDPR compliant.
If you feel like this is the first you’re hearing about this, don’t fret. Many companies, large and small, have not received the memo about this new regulation. A recent survey found that even London-based companies (around 24%) didn’t know about this, either. Because May 25th is the supposed deadline for being compliant, many businesses are just now hearing about it because it’s trending online.
So, what do you have to do?
If you’re a small and local business who only services customers in your city or state, then you may not have to do much. However, if you have email campaigns that send to lists containing European IP addresses, then you might need to be a quick study on GDPR.
On the surface, the new regulation doesn’t sound all that different from other U.S. data privacy laws that most of us may already follow. But GDPR takes it much further, and the penalties can be overwhelming. Here are some key points:
- The definition of personal data has widened: Generally we think of personal data as location, gender, email address, etc., but GDPR will also include other items like genetic, cultural and economic information.
- Terms of Agreements must be clearer and simpler to understand: You know when you fill out information and check a box that says “I’ve read the terms and conditions,” and there was no way to tell if someone actually clicked through to read it? Well, no more. Agreements must now be front and center before someone submits their data, and the language must be clear and evident.
- Data breach notifications must occur within 72 hours of awareness: If you’ve been made aware of a potential data breach within your company, you have up to 3 days to report it to a data protection officer.
- EU citizens can submit a data subject request: Data subjects — the term used to describe the people whose data have been acquired by a company — can request that a company submits to them a full record of how their data has been used or accessed. A data controller will need to respond within 30 days of the request, and if they’ve missed the deadline, the subject can then file a complaint with their local regulator.
- GDPR introduces the “right to be forgotten”: This is more than just a simple “remove me from your newsletter list.” Subjects have the right to request that a company erase all personal data on the grounds of a vast amount of factors.
- Penalties and fines can equal up to 4% of your global revenue: Depending on the severity of the non-compliance and a host of other factors, authorities may fine your company up to 4% of your revenue (and not profits, either.) To put this in perspective, Amazon.com would be fined $7 billion if they’re to be found non-compliant.
There are many, many more updates to data privacy than can fit here. If you’re feeling confused about all of this, that is okay because you’re in good company. Even large companies like Facebook and Twitter have known about this since its conception two years ago and are just now tying up loose ends.
For a medium sized company who deals often with data from European customers, we suggest finding a law firm that specializes in data privacy and protection to help rewrite your terms of service, or management firms that assist businesses looking to be GDPR compliant.
You can visit the official website for more information on next steps, but again, you might experience a bad navigation experience due to increasing traffic.