What US Businesses Need to Know About the GDPR
Any US company that conducts business on the internet and collects, uses, or stores Personally Identifiable Information (PII) needs to guarantee the information is safe and secure. PII includes usernames, email addresses, social security numbers, and credit card information. This is a requirement of the federal government.
As well, the reason policies like HIPAA, the Electronic Communications Privacy Act, and the Financial Services Modernization Act are in place. Going forward, there is the chance you will need to also comply with the General Data Protection Regulation (GDPR). While this is currently a European specific regulation, some US States are adopting these or similar regulations, so it does impact businesses across the US.
What is GDPR?
At its core, GDPR is a set of rules designed to give citizens within the European Union more control over their personal data. It does this by demanding personal data is collected in accordance with existing laws. It also requires that anyone collecting personal information protects the data from misuse and exploitation. Additionally, respecting the rights of the data owners.
Replacing the EU Data Protection Directive which was enacted in 1995, the GDPR comes into effect on May 25.
How it Impacts US-Based Companies
The question most people are asking is how a policy established by the European Union will affect American businesses. Why should you worry about an EU regulation?
There are three main reasons:
Many American businesses market in the EU
What most companies have failed to realize is that the new policy focuses on protecting the consumer more than the business entity. You might not have a company in Europe. However, a significant number of US-based companies market to consumers in Europe. If this is accurate for your business, then once the GDPR comes into force. Hence you will need explicit permission from those consumers before you can use their personal information. As an example, it can be changes to your web collection practices, messages, and privacy policies.
The definition of American PII vs. EU “personal data”
Americans refer to personal information as PII. On the other hand, Europeans refer to it as “personal data.” What you may not be aware of is the variation in the scope of PII compared to “personal data.” PII is defined as an individual’s name accompanied by any other type of identifying information such as credit card information and social security number. Under GDPR, “Personal data” covers a much wider scope. GDPR states that personal data is “any information related to an identified or identifiable natural person.” This means that everything from an individual’s name to location and even details such as genetic, cultural and economic data are considered “personal data.”
You need to report breaches in less than 72 hours
This could be the big one. Normally, companies take days, or even weeks to report a security data breach. Which is sometimes understandable because it can take a bit of time to establish the cause and full impact of a breach. Unfortunately, the GDPR isn’t granting that much time. Under the new regulation, affected organizations have a maximum of 72 hours to report a breach to a supervising authority. Where there is “high risk” to fundamental property and privacy rights, then the individuals themselves will need to be notified.
Penalties for non-compliance
We don’t know how fines for non-compliance will be levied or pursued. The GDPR language seems to point to lesser fines for mistakes in attempted compliance and larger fines for non-compliance. How will they review hundreds of thousands of websites and take action? No one knows exactly.
Put Simply the GDPR Raises the Bar
Even if you’ve complied with the PCI DSS and other regulations all along, the strict requirements of the GDPR can pose a challenge. Suffice it to say that if you have European Union marketing targets and are collecting something as simple as an email address for lead capture, then ensuring your website forms, emails, and privacy policies conform to GDPR standards are important. Here’s a quick and helpful guide from the email marketing team at MailChimp to give you specific actions to take.
Keys in general are to have a compliant privacy policy on your site and to have means to alert visitors to cookies, ways to opt-out, and information on what is being collected.
Digital Hill can do a review of your website for compliance and give recommendations on needed updates. Please contact us today if you want to discuss further.