Here’s a twist on that old philosophy debate about whether a falling tree makes a noise if no one is there to hear it: If new data privacy laws are passed in the European Union, do those outside the EU hear the noise?
Simple answer: Yes. And it is a loud thump about to be heard worldwide, with reverberations for years to come.
The European Union’s General Data Protection Regulation, set to take effect in May 2018, is arguably the loudest and farthest-reaching noise ever made in the data protection community. It affects not only the EU nations, but all companies that keep data on EU customers even if the company doesn’t maintain offices or servers in an EU nation.
For example, a California company visited in person by an EU tourist who signs up for the company’s emails would be subject to the new data privacy rules.
Violations will carry stiff penalties, with fines up to 20 million Euros or 4 percent of total annual worldwide revenue, whichever is greater. So compliance with GDPR could be the most business-critical consideration for data collection and storage since the Y2K transition back in the late 1990s.
The GDPR itself is nearly 300 pages, but here’s a simplified guide:
- Because the underpinnings of the rule are based on consumers controlling how and when their data is shared, consumer permission must be validly obtained and data collection methods and storage must be transparent;
- EU data subjects have the right to control what personal information is retained and how it is used;
- EU data subjects can delete, edit and export the information you have retained;
- Information that directly or indirectly identifies or makes a person identifiable is considered personal data; and
- Data breaches must be reported within 72 hours
The compliance requirements are especially important for companies doing e-commerce, analytics or social media, but odds are extremely high that you will be processing data involving EU residents no matter what your business.
Experts advise that you should think of your firm as being responsible for compliance unless you plan never to do a single transaction with an EU resident. And that seems highly improbable in our globally interconnected market.
Using the GDPR as a guideline, do a gap analysis of your current data privacy protocols and identify critical areas that need to be addressed now.
Back to that tree idea: Consider how leaves fall from a tree during high winds. That tree may be on someone else’s property, but the leaves – the diverse sales or service transactions that potentially could involve EU residents – are going to end up on your lawn.
By Jason Rose