The General Data Protection Regulation that was put in place by the European Union in May 2018 may seem unimportant in your everyday life, but anyone who owns a business that has a website or who subscribes to email from any website — which is probably most people — should be aware of what the regulations are and how they might affect you.
“This [regulation] has been coming for two years,” says Robin Nodland, FAPR, RDR, CRR, of Portland, Ore., a member of NCRA’s Realtime and Technology Resources Committee. “I would not be surprised if eventually we had similar rules and regulations enacted soon” in the United States. [Ed. note: A California regulation with some similar points is expected to go into effect in 2020.]
What is the GDPR?
The General Data Protection Regulation, more commonly called the GDPR, protects the private information of residents of the European Union. The personal data covered includes the names, user IDs, IP addresses, cookies, social media posts, and much, much more. The official standard for GDPR can be found at https://gdpr-info.eu. The GDPR went into effect May 25 of this year. And, even though they were based in the U.S., both Facebook and Google were immediately sued under the regulation for how they handled the private information of people based in the European Union.
You might think that your business or organization is too small to be affected — that only the big companies will be sued. However, some experts think that it is the small companies that will have the most to lose if they fail to put compliance measures in place. If your firm manages or stores any personal data of individuals residing in the EU, GDPR affects you.
Need more encouragement? Although it has yet to be determined exactly how U.S. companies will be held accountable, fines for non-compliance can range from €20 million (more than $22 million) to 4 percent of the company’s annual global revenue — whichever is higher.
Generally speaking, this regulation only applies to your organization if you have a “presence” in the European Union. The definition of presence is somewhat broad and likely will affect the majority of businesses and websites, even if they are not located in Europe. For example, you may be affected if you have:
- A person on staff in the EU
- Members in the EU
- Events in the EU
- EU country domain names
- Products or services available for sale in Euros (or other local currencies)
- Apps available within stores of an EU member country
The main thrust of the GDPR is that businesses need to be able to show that consumers have given clear consent for your business to collect any personal data. For this reason, many companies, both within the European Union and around the world, have revised their privacy policies and collection practices on their websites to account for the GDPR requirements. You will probably see that many websites are requiring a two-step sign-up or additional pop-ups noting that a website is using cookies or to request access to your location. For some sites that you visit regularly, you may want to enable cookies, which is a bit of code stored on a person’s computer so that the person can be identified and tracked as he or she moves through a website. For instance, the NCRA.org website uses cookies to allow members access to their personal information, such as their status on taking tests and current number of CEUs — two things that couldn’t be done easily without using cookies.
Even if you don’t have any members/customers/clients located in the European Union, it’s still smart to remain as GDPR-compliant as possible. Some United States regulators have even called for a personal data review here at home, saying America is no longer the leader in data protection.
Here are additional links:
TechLinks: What you should know about the GDPR for your personal information
TechLinks: What you should know about the GDPR for your business