While the General Data Protection Regulation (GDPR) establishes reform in the European Union (EU) and European Economic Area (EEA), its requirements affect any company or individual doing business abroad or having a website that serves customers abroad. Meaning, this data protection reform may impact your U.S. business.
If you’ve visited a website and have seen a pop-up request to accept or reject a site’s cookies, then you’ve landed on a page of a provider that offers services in the EU and EEA.
The GDPR is changing the digital landscape. The GDPR means big things in terms of demonstrating compliance: where in the past many organizations included a disclaimer such as “by using this website, you accept cookies,” under GDPR users must now be given the option to agree to the terms of the site’s cookies.
What is the GDPR?
Effective May 25, 2018, the GDPR enforces a strict level of protection on the personal data of EU and EEA residents. Further, it intends to streamline and un-complicate regulations concerning digital platforms. This reform aims to better protect individuals’ data, including names, addresses, photos, IP addresses, and other personally identifiable information. The regulations apply to businesses in the EU or EEA, as well as any organization outside of those areas performing business in the EU or EAA, or with customers residing in those areas.
This protection is achieved by setting legal requirements on processors (the agency, public authority, or other entity that processes personal data not their own) to hold them accountable for private information that is collected and stored. Processors must report how they process, gather, and keep personal data so that, in the event of a breach, the organization can prove the steps they took to protect individuals’ data.
Why was the GDPR Implemented?
As data breaches become more common and hackers grow more resourceful, individuals are forced to find and apply the most effective protections for their information against malicious activity. The GDPR compels companies to add to customers’ efforts and protect their users and clients in the initial stages of a relationship. To prevent information from being stolen or lost, the GDPR intends to put the proper precautions in place to decrease breach incidents. The GDPR does not dictate specific cybersecurity control technologies, but instead directs that organizations implement data protections by design and default, leaving it to individual organizations to determine the appropriate security controls for their size, complexity, and data risk. The GDPR also initiated a penalty for organizations that do not adequately protect their customers’ data in ways that align with GDPR standards, as a means to make sure companies follow this legislation.
In addition, the GDPR requires companies to alert their customers and/or users should a breach occur.
How can the GDPR Impact You and Your Business?
Beyond the threat of penalties for not complying with the provisions and requirements (fines of up to four percent of annual global turnover), businesses that implement the required data protections will, according to the GDPR, offer better protection to their consumers from cyber threats and hacks.
As a majority of companies worldwide provide goods and/or services to individuals in Europe, it’s important for an organization to analyze its current global involvement and plans for future international development to determine which data protection or privacy laws might apply.