Companies in the US are finally starting to pay attention to the General Data Protection Regulation (GDPR) news that’s been coming out of Europe lately, because compliance will be enforced starting May of 2018. That’s not a lot of time to get ready. What is this new regulation, why did it come about, and what does it mean exactly for companies in the U.S.?
What happened to make the EU stand up and say, “Hey, we need some new laws to handle data protection”? Basically, the old laws (literally and figuratively–they were enacted in 1995) were too old to keep up with the changing technology and exponential growth of the volume of data. The EU realized it was time for some changes.
This is a binding law that strengthens and protects data of all individuals within the 28 member states of the EU. The new law applies to any company that processes goods and services (and therefore has personally identifiable information) for citizens in the EU. This is why American companies (and others) are paying attention–if they do business or handle data of any kind from the EU, they need to be compliant.
If you’re found to be out of compliance, you could face a steep penalty: Up to 20 million Euros or 4 percent annual turnover (similar to revenue), whichever is higher. Fines levied will vary based on the nature and duration of the violation, as well as where it occurred. This is because enforcement likely will not be standardized across the EU.
It depends on where your company is located. It’s important to remember that Brexit in the context of GDPR would only apply to companies based in Great Britain, not the U.S. According to the GDPR website, “If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear.”