General Data Protection Regulation

Everyone seems to have a lot of questions around General Data Protection Regulation (GDPR). Here are a few facts that might help you understand what it means.

May 25, 2018.

GDPR is going to mean different things to different companies. If you don’t do business in the European Union (the EU), you may not have much reason to worry about it. On the other side, if you have data about people who reside in the EU, there are quite a few regulations that you have to be compliant with, even if you don’t have any presence in Europe. If you just do business in the EU, but don’t keep any client information, you will likely need to demonstrate a minimum level of compliance, and will likely have to make a few changes to your website.

Some of the fines can be quite severe, especially if you keep client data. Non-compliance can result in penalties of up to 4% of global revenues or 20 million Euros. Typically, these fines will be levied against those who are actively violating the core tenants of data privacy, but even the smaller fines can be quite significant.

Privacy. People in the EU now have the right to be forgotten and no longer have to opt out to not be tracked. They also have the right to know what information companies have about them. Like any law created by committee, this is a big, hairy beast of a law, but it will have the biggest impact on companies who keep information on EU residents—like Google and Facebook. At the same time, though, the law applies to all companies, not just the big ones.

This isn’t just about credit card information, like PCI. It affects cookies that websites collect, pictures, and anything that might be used to identify a person (including marketing habits just tied to an IP address or an otherwise anonymous visitor). Also, companies cannot collect anything on kids without parental consent. Again, this will likely be most important for Google and Facebook, but all companies who might be doing any business in Europe should make sure their websites are GDPR compliant, especially including publishing a cookie opt in message on their website.

Yes, notification of any breach. If you have any information on any EU residents (and you likely do, if you have any PII on clients) and you have a breach, you have to notify within 72 hours. This is the most stringent notification law we know of. Also, if you keep data on EU residents, you need to show how you are protecting it.

Yes, if your company is domiciled in the US (even if you have an office in the EU), we can help you. We have great expertise in this area, and we’ll help you figure out how to be compliant, hopefully without spending a ton of money. If you are already using our services, GDPR compliance will likely be easy. If not, we can use the process not just for regulatory compliance, but also to ensure that your data is secure not just on paper, but in the real world, too.