May 25, 2018 was the deadline for GDPR compliance, and you probably have a lot of questions like: How prepared am I for this new era? Does it even concern my business? What is GDPR anyway?!
What is GDPR?
First things first, GDPR stands for General Data Protection Regulation, which was passed all the way back in 2016 and applies to all member states of the EU. This new set of rules replaces the 1995 EU Data Protection Directive which allowed businesses scattered across the EU to do their own thing concerning data protection.
Under the General Data Protection Regulation, all directives are harmonized under the same privacy laws for businesses operating in the EU.
According to the folks over at Mail Chimp, this new regulation has been rolled out in order to:
- Support the fact that privacy as a fundamental human right
- Require that businesses handling personal data to be accountable for managing that data appropriately
- Empower individuals to exercise their rights over how their personal data is processed and used
Who Does the GDPR Apply to?
So a law that is passed in the EU doesn’t apply to you who runs a business from other parts of the world like the US, right?
Wrong, in this case.
The EU GDPR applies to all organizations that control, process, or handle the Personally Identifiable Information of EU citizens…whether that organization is in the US, or anywhere else in the world. Even cloud services must comply with the GDPR if they work with EU citizens.
Should You Be Concerned?
Well, yes if you handle Personally Identifiable Information from the EU. Non-compliance after the deadline of May 25, 2018 comes with a fine of up to 20 million Euros or 4% of global annual revenue depending on which happens to be greater.
Maximum fines of this nature could slap hefty fines to the tune of billions of dollars on giant corporations like Facebook and Google (who are already being accused of breaking GDPR for engaging in “forced consent”)
There are not many details on the various fines you can expect other than the maximum, but given that 10% global annual revenue or 10 million Euros still counts as a significant amount for the majority of businesses, you want to ensure that you enter this new era with your best foot forward.
What You Can Do
Just so we are clear, the sky is not falling down on our heads just yet. Nobody is quite yet able to decipher all that is fully required by the terms of the GDPR.
However you can begin your first steps by taking care of the simpler aspects like the requirement that users and website visitors be presented with an opt-in choice before a company, business, or organization starts storing, processing, or transmitting their personal information.
In general, if you have always run a business that is serious about data security and willing to live up to the requirements of regulation and other data security standards then you should be fine. But we do highly recommend contacting your vendors as well as your legal advisors.