The General Data Protection Regulation that was put in place by the European Union in May 2018 may seem unimportant in your everyday life, but anyone who owns a business that has a website or who subscribes to email from any website — which is probably most people — should be aware of what the regulations are and how they might affect you.
“This [regulation] has been coming for two years,” says Robin Nodland, FAPR, RDR, CRR, of Portland, Ore., a member of NCRA’s Realtime and Technology Resources Committee. “I would not be surprised if eventually we had similar rules and regulations enacted soon” in the United States. [Ed. note: A California regulation with some similar points is expected to go into effect in 2020.]
What is the GDPR?
The General Data Protection Regulation, more commonly called the GDPR, protects the private information of residents of the European Union. The personal data covered includes the names, user IDs, IP addresses, cookies, social media posts, and much, much more. The official standard for GDPR can be found at https://gdpr-info.eu. The GDPR went into effect May 25 of this year. And, even though they were based in the U.S., both Facebook and Google were immediately sued under the regulation for how they handled the private information of people based in the European Union.
You might think that your business or organization is too small to be affected — that only the big companies will be sued. However, some experts think that it is the small companies that will have the most to lose if they fail to put compliance measures in place. If your firm manages or stores any personal data of individuals residing in the EU, GDPR affects you.
Need more encouragement? Although it has yet to be determined exactly how U.S. companies will be held accountable, fines for non-compliance can range from €20 million (more than $22 million) to 4 percent of the company’s annual global revenue — whichever is higher.
Generally speaking, this regulation only applies to your organization if you have a “presence” in the European Union. The definition of presence is somewhat broad and likely will affect the majority of businesses and websites, even if they are not located in Europe. For example, you may be affected if you have:
- A person on staff in the EU
- Members in the EU
- Events in the EU
- EU country domain names
- Products or services available for sale in Euros (or other local currencies)
- Apps available within stores of an EU member country
Even if you don’t have any members/customers/clients located in the European Union, it’s still smart to remain as GDPR-compliant as possible. Some United States regulators have even called for a personal data review here at home, saying America is no longer the leader in data protection.