If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.
The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.
The EU views privacy as a fundamental human right; it is enshrined that way in the EU constitution. In this way, regulators and citizens of the EU are far more attuned to personal privacy than most Americans. The new privacy rules carry potentially very steep penalties: fines for violations can amount to up to four percent of global revenue or 20 million Euros (whichever is greater).
What Does the GDPR Require?
The GDPR is designed to give EU residents a standard measure of personal electronic privacy protection that has the same basic expectations no matter whether the individual is doing business with a French company, a Japanese company, or an American company. The tenets of the GDPR sound non-controversial: they involve notice, choice, and transparency (among other things).
At a minimum, this probably merits reviewing your privacy and employment policies to ensure that they fall in line with GDPR requirements of telling EU consumers what data you collect about them, what you do with it, and what rights they have to stop you (or to change their minds once they’ve given you their information).
Merely revising your policies and ensuring that you have a way to respond to consumer inquiries is not enough to be fully compliant with the GDPR, but it may be a reasonable approach if your exposure to the market is very limited. That decision should be made in consultation with your lawyer and possibly your cyber insurance carrier so that you can weigh the risks of non-compliance (or partial compliance) against the benefits and costs of compliance.
If you have significant dealings in the EU, you almost certainly need to do more. Reviewing and documenting your company’s practices regarding data collection and use, designing privacy-aware interfaces for new products and services, establishing server locations so as to keep data local: all of these examples may be or become an important part of your GDPR readiness, because minimizing the data maintained on EU consumers and not moving it to jurisdictions that lack the EU’s protections are key policy aims of the GDPR.
Does it Apply to Me?
If you have customers, employees, or even vendors in the EU, and you interact with their personal data in electronic fashion, you may be subject to the GDPR. The rules apply if you offer goods or services to EU residents and/or if you monitor them. Cookies and other common Web tracking devices are considered a form of monitoring.
This has important implications for how you design your online and data flow practices, both consumer-facing and internal. Also, the EU definition of “personal information” is far broader than anything used in the U.S. It means anything that can be used to identify a person, not just specific information about a specific person. IP addresses, for example, are “personal information” within the EU definition – not just tax ID numbers, email addresses, and so forth.
What Should I Do?
The first step for any company is awareness: knowing whether you have dealings with EU residents, and what information you collect and use regarding them, will tell you whether you need to undertake a compliance discussion with your cyber counsel and carrier.
After that, ensuring that your company makes personal privacy a priority, both internally and externally, is high on the GDPR list. Unfortunate happenings like the Equifax and SEC breaches announced in September of 2017, combined with EU suspicion of U.S. electronic surveillance measures, will ensure that U.S. companies have to justify themselves to a skeptical regulator if they ever face their own issues.