In recent years, the European Parliament has been working on a new piece of legislation called the General Data Protection Regulation, or GDPR. GDPR was formally adopted by the EU on April 14, 2016, and the regulation will be enforced starting on May 25, 2018. This new regulation focuses specifically on the protection of personal data of EU residents. This is our first in a series of three posts that will address the concept of GDPR and its’ wide-ranging impacts.
GPDR takes the place of a previous European privacy regulation called the Data Protection Directive 95/46/EC. The big change here is that GDPR creates a uniform standard for personal data privacy across the EU and for all EU residents.
So if you’re a U.S. business, why should you care? Even if you don’t have a presence in the EU or don’t do business there, your company (and others outside the EU) can still be affected. And if you don’t comply and are found to be in breach of EU GDPR, that breach can have lasting consequences on both your company’s finances and reputation.
Here are the key takeaways on why U.S. companies need a thorough understanding of GDPR impacts their business.
It’s all about location - of EU residents, that is.
The territorial scope of the new regulation is quite vast, in that GDPR regulations apply to any business that processes personal data on EU residents, regardless of the physical location of the business. So that means you could have zero offices and staff in any European Union country, and even zero customers in the EU. But, if your business in any way processes and stores personal data on EU residents (customers or otherwise), it falls under the jurisdiction of GDPR.
Nothing directly compares in the U.S.
Though there are some state data breach notification laws and industry-specific federal data privacy laws on the books, there’s not one U.S. federal law that specifically governs personal data privacy. Many U.S. state laws are reactive, in that they require companies to notify certain entities after a breach has occurred (like the California Data Breach Notification Law). A handful have proactive, prescriptive laws, like the Massachusetts Standards for the Protection of Personal Information. Federal laws like HIPAA and the Fair Credit Reporting Act apply only to certain information (medical records) and specific agencies (consumer reporting agencies).
Affected parties can sue.
The regulation refers to people whose personal information has been collected as "data subjects". GDPR expressly dictates that data subjects will be able to take legal action against companies based on the mishandling of their personal data, in the form of a collective proceeding (Europe's version of a class action lawsuit) brought by individuals or a consumer agency. And similar to class action lawsuits in the U.S., the winner may be entitled to the attorney's fees - plus any additional compensation dictated by the suit.
Financial impacts to your business are LARGE.
With the introduction of GDPR, there are sizeable financial impacts for global businesses. Not only can they be sued by data subjects, if they're found to be in breach, a series of fines may be levied by the EU depending on the severity level of the infraction. The maximum fine can be upwards of 4% of annual global turnover, or 20 million Euros - whichever ends up being larger. Smaller fines apply to infractions of only specific parts of the GDPR and will be dependent on the severity level of that infraction. And there's more: the severity level takes into account things like the duration of the breahc, whether it was intentional or negligent, and if there were efforts made to alleviate any harm caused to data subjects.
Breaking news: terms of consent must be clearly spelled out.
You heard that right: GDPR includes a provision that any terms related to consent must be presented in an easily understandable manner. No more lengthy terms using complicated legal languaged that no one reads or understands anyway. Businesses are required to make clear exactly what will happen to their dataa, so they can give informed consent. (Hallelujah for all us end users out there!)
GDPR has been in the making for quite some time, and it will be enforceable in less than a year. It's time to take a deeper dive into all aspects of your business, to understand if it falls under GDPR jurisdiction.