By now you've certainly heard of the GDPR, which is the European Union (EU)'s General Data Protection Regulation. The GDPR was adopted to protect the personal information of European users from unauthorized disclosure and misuse. As such, the GDPR places very strict limits on where the data of EU citizens can be stored, how it can be used, how long it can be kept, and how it's protected.
Continue Reading Below
As you would expect, the GDPR applies to every business in Europe. What you might not expect is that it also applies to any organization that keeps data on European citizens, whether it's used in commerce or not. And if you violate the rules, the fines can be massive: up to 20 million Euros (US$24,710,200) or 4 percent of your global revenue, whichever is greater.
What this means is, you might be better off forgetting about European business for a while, unless you're sure you can comply with the rules. The EU has an excellent website that explains the process. If you're planning to do business in Europe, then you and your IT folks need to read this website.
But if you're a large company already doing business in the EU, chances are you're already well aware of the requirements and you're probably well on your way to being able to show compliance with the rules.
But suppose you're not one of those organizations? Well, chances are that the GDPR still affects you. You'll need to sit down and look at your situation to make sure. Here's a quick look at the major things that you need to consider.
Operations and Data Protection
First, look at your operations. Do you target any type of marketing effort, no matter how small, at EU citizens? This could be anything as simple as having a version of your website in a European language or the ability to accept payments in European currencies. Or do you collect personal data of any kind for any purpose, even if it's not for a financial transaction?
This does not mean that you're targeting Europeans if they find your US-based website and buy something sold in US dollars. But even then, you need to be careful what you do with the data and how long you keep it. But if you expect to be selling to European buyers on a regular basis, then it might be a good idea to find a European company to service your accounts there.
Meanwhile, if you think there's any chance you might end up dealing with EU citizens, then it would be a good idea to make sure that you follow the rules in regards to data protection and disclosure.
Data protection rules mean that you need to protect the data of EU citizens against loss, theft, or disclosure. You must also get rid of the data as soon as you can. And if any data of EU citizens is breached, then you have 72 hours after it's discovered to report it to European authorities.
You also need to disclose how you plan to use the data and how long you plan to keep it. The disclosures need to be clearly and simply stated and the EU citizen needs to be able to agree or not agree. And there are some things to keep in mind about the disclosure: you can't have the boxes pre-checked by default and you can't use those dense, endless, legal "Term and Conditions" documents as your disclosure.
An EU citizen can choose not to agree with your disclosure and there needs to be a way for them to say "no." However, if the information you're asking for is necessary to provide the good or service (a credit card number or shipping address, for example), then you don't have to sell the product.
Note that the rules apply to both parties on your end of the transaction, meaning you and the credit card company. If you plan to sell things to Europeans, then you should confirm that your credit card processor will follow the GDPR rules for EU customers.
The Right to Be Forgotten
And, of course, there's the famous "right to be forgotten." You must be able to delete the name and personal information of any EU citizen on request. This means from any place, including backups, where that information might happen to reside. This will require you to become aware of where your data is and what's in it, something you probably can't do now.
There are limits on the right to be forgotten. For example, if you're required to retain some data, such as to meet some Health Insurance Portability and Accountability Act (HIPAA) or Securities and Exchange Commission (SEC) requirements, then you have to meet the legal requirements. But beyond that, you have to be able to delete such personal data on request.
If all of this looks like a pain in the neck, then you might be right. Or you could look at the EU requirements for the GDPR as an opportunity to streamline your security operations in their entirety. For example, if you store and manage all of your data in a way that meets the requirements of the GDPR, then you'll have a much more secure operation.
Likewise, if you dump those long-winded, impossible-to-read "Terms and Conditions" documents and replace them with clear statements of intent and ask for agreement, then your customers will appreciate it. Also, if you stop storing data that you don't actually need but are required to protect, then your life is simplified and your risk from a breach is reduced since hackers can't steal what's not there.
Realistically, the GDPR codifies what are really best practices for how your organization handles other people's data. Finding a way to be in compliance with those rules will help your organization overall.