What Is the GDPR?
The General Data Protection Regulation, also known by the acronym “GDPR,” is a sweeping new privacy law that strictly regulates what businesses must do to protect the electronic personal data of their European Union (EU) customers. The GDPR has enormous ramifications for businesses around the world, including those located in the United States, if they have any customers in the EU — even if it’s just a single person who purchased a product or service over the Internet.
The new law is extremely complex — it spans nearly 270 pages — and creates stringent requirements that companies in the United States must follow. Most critical for anyone who is just hearing about the GDPR, know that it has sharp teeth in the form of steep regulatory fines for non-compliance (see more below). Simply put, ignoring the newly enacted regulation is not an option as it could have devastating consequences for the future of one’s business.
I Have a Business Located in the United States. Does the GDPR Apply to Me?
Any business in the United States that collects, stores or otherwise handles the personal data of EU citizens is required to comply with the GDPR, even if the business lacks a physical presence in the EU. For example, if you are a Wisconsin company in any industry — online retailing, technology, manufacturing, marketing, e-commerce, financial services, etc. — that sells products or services over the Internet to EU citizens, or even sends out monthly newsletters, catalogs or other marketing materials via e-mail, you are handling personal data of EU citizens (at a minimum, their names and e-mail addresses) and have to comply. If you fail to do so, you face regulatory fines.
What Happens If I Don’t Comply with the GDPR?
Failing to comply with the GDPR can be very expensive. The law allows regulators to fine a business “up to 20 million Euros (about $23 million) or up to 4% of the annual worldwide revenue, whichever is greater.” And, since the fine is based on a percentage of revenue, not profit, a fine in the amount of 4% of a company’s revenue could wipe out an entire year’s profit.
How Long Do I Have Before I Have to Comply with the GDPR?
The GDPR went into effect on May 25, 2018, so your business may already be in violation.
Will EU Regulators Really Target My Business?
No one can say at this point. While it’s probably safe to assume that EU regulators won’t immediately target small and mid-sized businesses in the United States for some time, the EU regulators aren’t the only enforcers of the GDPR. Specifically, EU citizens have the right to request that any company provide them with all of their personal data that the company possesses — free of charge — which they can then request be corrected or deleted within 30 days. If a company gets such a request, but can’t respond because it’s not GDPR-compliant, the citizen can then file a complaint. In fact, on the first day that the new law first went into effect, a group of EU citizens filed complaints against Instagram, WhatsApp and Facebook for allegedly violating the GDPR.
In addition to creating a private right to action for individual EU citizens, the GDPR allows for class action lawsuits to be filed.
What Does the GDPR Require?
Some of the major requirements of the GDPR are as follows:
- Before collecting personal data, businesses must clearly disclose what data is being collected and why, how it’s being used, how long it’s being kept, and whether it’s being shared with third parties.
- Businesses must obtain a person’s affirmative, opt-in consent before collecting their data and the person can withdraw consent at any time. A website can no longer rely on statements such as, “by using this website you consent to our policy.”
- Within 30 days of receiving a request, a business must provide a person with all of their personal data that it possesses, and must correct or delete it if the customer requests.
- Under certain circumstances, businesses must appoint a full-time Data Protection Officer to ensure compliance with the GDPR.
- Businesses must provide notifications of data breaches within 72 hours.
Conclusion
If your business handles, collects, or stores any personal data of EU citizens — even if it’s just a single customer — you may be at serious risk of running afoul of the GDPR. While there’s much uncertainty as to how the new law will be applied in practice, the consequences of non-compliance could be severe. To be compliant, your business may need to take the following precautions:
- Update your privacy policy so that it explains, among other things, the legal basis for collecting and using personal data, as well as how you plan to use the data.
- Amend your website’s opt-in procedures so that a user’s consent is affirmative, explicit, informed and unambiguous.
- Develop new security processes to address encryption requirements.
- Develop new processes to respond to users’ request to access, modify or delete their personal data.
- Audit what personal data you collect, store and process, including where the data came from and with whom it is shared.
- Create notification procedures in the event of a data breach.