General Data Protection Regulation. Raise your hand if you've heard of it. Don't feel badly, a recent survey indicates less than 50% of businesses that will be affected by it are even aware of its existence.
Although GDPR is a regulation of the European Union, it will have a big impact on any U.S. company that employs a citizen of the EU or if the company holds, processes or interacts with personal data on any EU citizen, even if the company has no physical presence in the EU.
So, what is it? This new rule updates data privacy regulations that have not been altered since 1995 - before the cloud flattened the globe, before we had anything as remotely interconnected as we all seem to be today, like it or not.
In addition, it expands who is bound by the rules. In the past, only companies that controlled data, such as credit card companies, were affected. Now, GDPR includes third-party vendors and data processors as liable under the regulation. This means that any company engaged in commerce with a supplier that interacts with personal data on any EU citizen needs to have assurances from those third-parties that they are in compliance with GDPR.
One of the problems is that the concept of personal data in the EU is vastly broader than how it is defined in the U.S. Historically, personal data in the U.S. falls into three categories – financial, medical, and anything related to children under the age of 13. In Europe, however, all personal data is protected. Moreover, a "right to be forgotten" will require websites, databanks and other forums to delete all reference to an individual upon request.
Do you have an office in Europe? Any ex-pat employees? How about suppliers? Compliance is complex and the fines are in the stratosphere – up to 4% of your global annual revenue or $20 million Euros, whichever is greater. (Yes, you read that right.) You might also have to hire a Data Protection Officer.
It's important to get ahead of this and assess how your business is, or is not, affected by GDPR. Consider undertaking the following sooner rather than later:
In the past, the EU was satisfied if you were just aware of the rules and complied with them. Now, companies will have to show proof of compliance and that they are proactively engaged in personal data privacy.
The upside to all this is good corporate governance – you're doing the right thing, and in so doing you engender public trust. It will also shine a light on any weaknesses in your data protection policies. In the end, you will have built a better fort around cybercrime and the threat of being hacked.
Oh, one more not-so-minor thing – GDPR goes into effect May 25, 2018. The clock is ticking...