Are you a business in the United States? Think you don’t need to worry about the EU General Data Protection Regulation (GDPR) that is set to go into effect on May 25, 2018? You may want to check again, because it may be possible that your company is subject to the regulation (and its accompanying penalties for non-compliance) even if you don’t intentionally market to people in the EU.
What is GDPR?
GDPR is a new framework for data protection agreed to by the European Union. It replaces an older set of guidelines with more stringent rules and regulates how companies need to protect the personal data they collect of citizens living in the EU. The GDPR focus is on personal data rather than Big Data, and how companies process it. It also has a heavy focus on consent – in that explicit consent needs to be given by the individual whose personal data is being collected, they need to understand why it is needed and how it will be used and stored.
How does this affect me if my business is located in the United States?
Even though the GDPR was enacted by the European Union, an agreement between the U.S.A. and the EU gives GDPR extraterritoriality. This means that U.S. companies that possess or plan to collect personal information about EU citizens must comply as well. If you obtain a personal email address (for example, joe@company.com, rather than info@company.com) of a citizen of the EU, you could be subject to GDPR’s regulations and sanctions. If you ship to individuals in the EU, you could be subject to the GDPR. If you employ EU citizens (including EU immigrants in a UK factory post-Brexit) or are involved in any kind of web-based marketing, you will be subject to the GDPR.
What is the risk of noncompliance?
There are severe financial penalties for noncompliance – up to 20 million euros or 4% of your annual global turnover, whichever is higher.
Not sure if you are subject to the GDPR? Contact us for a consultation.