The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018 requiring significant privacy protections for consumers that could impact your small business. In this blog post, we will examine the most important requirements of this new law and how it might affect small businesses in the US without locations in Europe.
Summary of the GDPR’s Main Requirements
The GDPR is designed to provide greater protection for consumers or “data subjects” in the European Union (EU) by requiring companies to maintain a stringent level of data security with sensitive customer information. It increases the amount of restrictions on what companies and organizations can do with consumer data and it gives consumers better access to their data and more control over the use of it. Some of the most important requirements in the GDPR are summarized below.
- Companies involved in processing EU consumer data, including any third parties, can be found liable for data breaches.
- Companies have to openly collect data and accurately and safely store it.
- Companies can only store data for the time they need to use it and not use it for reasons beyond its original purpose.
- A consumer can request that a company no longer process or delete their personal data at any time. This is known as the “right to be forgotten.”
- When companies are collecting or processing sensitive data at a large enough or at a highly sensitive level, they must appoint a data protection officer (DPO) to oversee the process.
- Consumers have a right to data portability, which makes it easy to transfer their data between companies.
- Companies must notify authorities of any data breach within 72 hours of detecting it.
Harsh Penalties for Non-Compliance
The designers of the GDPR gave it teeth to make sure that companies would take it seriously. Depending upon various factors such as the severity of the breaches, the company’s past history of data protection, and their level of cooperation with authorities, a company can be fined up to a staggering 20 million Euros or 4% of annual worldwide revenue (whichever is higher). Experts note that most first-time offenders would likely be charged a lesser fine of 10 million Euros or 2% of annual worldwide revenue, but that is still a significant penalty.
It’s unclear how aggressive the EU’s enforcement of the GDPR will be, especially as companies initially get used to the new requirements. However, it would be unwise for a small business to not take compliance seriously enough and risk these substantial fines.
Impact on US Companies
It is clear that the GDPR directly affects any US companies with business locations in the EU or customers in the EU. Additionally, Article 3 states that if your company collects any personal data or behavioral information from anyone living in any EU country, then your business is also subject to the GDPR’s requirements. This regulation applies to US companies that have a web presence accessible within the EU that collect personally identifiable data (PII) such as email addresses, phone numbers, and home addresses.
In addition, companies that have webpages with marketing information in the home language of European countries or that end in a country-specific suffix such as .de or .nl would fall under the GDPR. Companies that accept currency from EU countries would also be subject to the GDPR. US businesses that conduct marketing surveys with European consumers where they collect PII also must comply with the GDPR. All these efforts and examples fall under the GDPR as they are “targeting” data subjects or consumers in the EU.
However, companies that reach EU consumers through generic marketing efforts would not have to comply with the GDPR. For example if a German user searched for information on the web and found the company’s website pages in English designed for US consumers or B2B customers, this would not fall under the GDPR regulations. In short, having a website that EU consumers can access does not mean the company must be GDPR-compliant; the GDPR comes into effect only if the company is specifically targeting consumers in the EU for marketing purposes or gathering PII from them.
Some US industry sectors that are likely impacted include tourism, software services, travel, hospitality, and e-commerce companies.
Steps to take to Remain in Compliance
Ensure consumer consent is given willingly
One major change that US companies will have to implement is to ensure that an EU consumer has willingly given consent for the company to obtain their personal information. This generally means that companies will have to offer a blank checkbox for consumers to check specifically in order to obtain consent. An already filled in box with a long “terms and conditions” page will no longer be sufficient. There will also have to be additional permission boxes available for the data to be used or processed by third-party vendors or partners. Companies must also provide clear information and forms that enable consumers to easily access their personal data as well as prohibit the use of it.
Protect customer data
On a positive note, many US companies should already be well prepared to meet the GDPR regulations in terms of handling and protecting data. If a company is currently following common data security standards such as NIST, ISO 27001, and PCI DSS they will already be complying with the GDPR.
72-Hour notification of data breaches
When a company detects a security breach that involves personal data such as email addresses, sensitive data such as financial or medical information or any data related to children, it is required to report the cyberattack within 72 hours to an EU regulator or “supervising authority.”
The GDPR also requires that the company must report the data breach to the consumers within 72 hours when there is a “high risk” to fundamental property and privacy rights. This generally comes into play when a data breach involves the exposure of credit card numbers or account passwords.
Adding a data protection officer
The GDPR requires companies that regularly and systematically monitor individual data on a large scale to appoint a data protection officer to oversee the process. These officers must regularly report to the supervisory authorities in the EU to ensure that they are in compliance. This requirement also applies when a company is handling information that is extremely personal, referred to as “special categories of data.” This data includes racial or ethnic origin, political affiliation, religion, and biometric data. Some EU member states also require the appointment of a DPO under additional circumstances.
In summary, your small business should take the time to learn whether it must comply with the new regulations under the GDPR. Even if your company is not required to appoint a DPO or make any drastic changes to its current privacy procedures, a review of your current actions and policies is always beneficial. We recommend consulting with a trusted IT Support partner such as Network Depot as well as a legal advisor to ensure that your business is always operating legally and most effectively in protecting sensitive customer information.