The General Data Protection Regulation (GDPR) was approved in April 2016 and implemented on May 25, 2018, to modernize existing laws on data protection in the European Union. The previous laws were constructed and put into effect during the ‘90s before smartphones and portable electronics that support ease of internet accessibility. These personal devices have become one of the main ways that businesses collect a slew of identifying information from data subjects, and not always with their consent. Because of this, some protections were outdated and did not fully protect consumers as the public authority of the European Union (EU) saw fit.
Why is GDPR Compliance Important?
Even businesses that are not physically located in one of the 28 countries of the EU must abide by these protections to avoid facing stiff penalties, including fines up to 20 million euros (over 22 million US dollars), or 4% of the company’s annual sales, depending on which is higher. This provides more complete protection to EU citizens. Compliance ensures that businesses with customers in the EU or those that collect information from their online activities are also following the protocols set in place. Conducting international business can be profitable, but American companies must be in good standing with governmental restrictions.
What Information is Affected by GDPR Compliance?
GDPR Compliance protects any information that can identify a person. This includes:
- User name
- Phone number
- IP number
- And stricter regulations surrounding:
- Sexual orientation
- Health data
- Political opinions
Why is Data Collected?
Over the past several years, businesses have tracked users’ data for various purposes. They have used the information for their own purposes or sold the information to marketing departments to create targeted advertising campaigns. While there are ways users may find these data-retention practices useful, the EU considers them largely an invasion of privacy.
How Does a US Business Comply with GDPR Regulations?
Businesses may choose to modify their existing practices, policies, and prepare to store information in a more organized fashion. A data protection officer (DPO) may be appointed, or an employee’s job description may be modified to ensure compliance as the data controller. Employees should be trained on the importance of adhering to the newly implemented system. Since employee data also falls under protection, those located in the EU should be aware of their rights under the regulations. Businesses can also seek help from compliance firms located in the EU who may be more versed on the Union’s data protection laws and GDPR requirements.
Where personal information has been released outside of the accepted parameters, the data controller must notify the appropriate supervisory authorities of the breach. They should prepare him or her to report what information was released, the consequences of the release, and how many people may be affected. The impact of the event can be lessened, when possible. Businesses should be versed on how to take action following adverse events to remain GDPR-compliant.
Does GDPR Apply Only to Major Corporations?
Any business, regardless of size, is required to abide by the recently passed General Data Protection Regulation if that company has customers who reside in the EU, or if the company processes data for a company whose users or customers do. The law does not distinguish sole proprietors, or singular persons in charge of a business, from large corporations. The GDPR also does not take into account what type of industry the business is a part of. Website owners who maintain data for companies should be aware of the regulations imposed by GDPR and changes in data security.
How GDPR Benefits Data Subjects
While GDPR requirements may call for additional steps to be implemented by businesses all over the world, those whose information is collected are now more protected than ever before. Identifying data that may be used for manipulative sales practices is regulated, and consumers have control over the information businesses may retain. This could positively impact rising numbers of identity theft and help people feel more comfortable engaging in a business world that is largely conducted online.