Whether you’re a small business owner in the U. S. of A. or a European customer wondering how far your data protection will go (or just someone like me who is curious how an EU regulation affects businesses in the states), it’s important to know about the GDPR. This regulation – full name, General Data Protection Regulation – rolled out last week and caused some chaos, already striking down several news sites and make them unavailable in Europe. We’re going to see more strikes in the future, along with possible blacklistings and fines. So, let’s see how it works, and how it could affect any US business that touches EU data.
What Exactly is the GDPR?
So, way back when in 2012, the EU wanted to create consistent data privacy laws throughout all the member countries. They settled on the General Data Protection Regulation to help protect consumer data. In some ways, the regulations set out are similar to Data Breach laws set out by all US states, and even some similar to the more stringent Massachusetts laws. Here’s a brief outline of what the GDPR does:
- Breach Liability and Reporting: If a breach occurs, anyone involved in processing user data, including third parties, is liable.
- Personal Deletion and Portability: If an individual requests their data to be removed from a company’s database, it must be done. Likewise, they must help data be transferred to another service upon request.
- Data Protection Officer: Shortened to DPO, this officer is mandatory for any company that manages lots of private data (from employees or from outside the company).
- Parental Consent: Lastly, for children under a certain age (below 16 to 13 depending on the country) parental consent must be given to use services/apps.
What the GDPR Defines as Personal Data
The terms like “personal data” or “private data” get thrown around a lot in the online world of cybersecurity. After all, beyond corporate data and digital property, it’s often the users’ data that is the most useful to would-be hackers. The GDPR thankfully has a great FAQ that helps cover their own definition, and it’s pretty broad:
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.
As you can see, pretty much any information that can identify a person, including simple things like their name and address, let alone personal information such as email, phone, credit cards, or their equivalent to SSNs. If you store any of this data: congratulations, the GDPR applies to you.
How This Affects Small Businesses
The short answer is the internet. This “service” has become an integral part of the world, and in that, it has also brought people from across the world together. Which means if your services or products can be bought from Europe, you’re storing European personal data from the form or payment they filled out. And that means that all the parts of the GDPR are applicable to you. In fact, many websites and apps that even have the chance of gaining EU users are getting themselves in line for the GDPR.
The Types of GDPR Fines and More
And if you don’t get in line with the regulations? Besides blacklisting we’ve seen with those news organization, companies that are found to not be compliant could see stiff fines, with larger companies that do business in Europe seeing €20M or up to 4% of their total global revenue for the year in fines, with half that for smaller infractions. And this isn’t including issues with being shunned by third-parties and vendors (and insurance).
How Do I Become GDPR Compliant?
Now, that’s a topic for another blog. In short, it’s about getting consent, knowing a user’s rights to their data, and making sure to secure that data properly. There are a ton of resources online to get started. I recommend this CIO article, Becoming GDPR compliant quickly, effectively and risk-free, as a good place to start. The GDPR is why you’ve been seeing a notice about an updated privacy policy from pretty much every app and service you use: most of them have European clients too. If you’re in the same boat, it might be time to get help.
I work for Vision, and while we’re mostly concerned with businesses located here in Massachusetts, we also understand that “here” isn’t just the Bay State online. It’s important for every business with an online presence to have an understanding of the GDPR and take steps according to the type of data they collect and where their clients are. If you’re looking to not only get your regulations up to snuff, but also taking your website, social media, and more to the next level, contact us.
2 Responses
This is actually useful, thanks.
I could not refrain from commenting. Exceptionally well
written!