The European Union’s (EU) new data protection law, called the General Data Protection Regulation (GDPR), went into effect in May of 2018, and U.S. companies are still catching up. Though the law is a standard governing business in the EU, it also covers any U.S. companies they might do business with, which covers almost any business in the United States in today’s world of online commerce.
The GDPR has introduced a much stricter set of rules in place of the now-outdated legislation adopted by the EU in 1995, when the Internet was just beginning to see mainstream use by businesses. The new regulations were adopted in 2016, and they were spurred on to some degree by recent high-profile data breaches in which millions of users saw their personal information stolen and put on the open market. As a result, consumer distrust in retailers in on the rise, and a new set of standards has been put in place to protect the personal information of EU citizens from hackers and data mismanagement.
What is the GDPR, and What Qualifies as ‘Personal Information?’
The EU’s official website created for the GDPR defines it as regulations for the processing of “an individual, a company or an organization of personal data relating to individuals in the EU.” The personal data outlined on the website includes what an individual uses for “socio-cultural or financial activities.”
Data that is not included in the GDPR:
- Deceased persons
- Legal entities
- Data processed for personal reasons in a private, in-home sphere
Many, many businesses, from mammoth banks to small independent shops, do business with citizens of the EU through online storefronts. As part of transactions and things like membership to an email newsletter, businesses take in and store the personal data of everyone they do business with. If that data isn’t properly secured, there exists the risk that social security numbers, medical records, or other private data could be stolen.
This is a quick checklist of what would be considered personal data as put forward by the GDPR:
- Names and surnames
- Home addresses
- Email addresses
- ID card number
- Location data that can be pulled from a mobile device
- IP address
- Cookie IDs stored from visiting a website
- Medical data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Advance Your Business CareerExplore Degree
How Does This Impact Businesses Globally?
Businesses in the EU or that do business with citizens of the EU have to protect all of a user’s personal data at the same level as the social security number of a U.S. citizen. The GDPR spells out which businesses exactly are required to be in compliance with the rules, and they include those with:
- A presence in an EU country.
- No presence in the EU but that process personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but with data-processing that impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
As you can see, these requirements cover almost all businesses, and as the consequences for a breach or noncompliance can range from large fines to a class-action lawsuit, it’s better to be prepared now than get caught later.
A GDPR Compliance Checklist for U.S. Companies
According to the European Commission, there are roughly seven major steps to take for U.S. businesses to ensure they’re GDPR compliant:
- Figure out what data you’re collecting, how you’re processing it, and why you are collecting that data. Do you actually need it, or can it be deleted?
- Do not keep personal data for any longer than absolutely necessary.
- Always inform your customers and employees when and why you’re collecting data, as well as what data you’re storing and how it will be used.
- Secure the data you process. That means on your servers and in transport physically or electronically.
- Document all data processing that takes place, from payroll to email subscriber lists.
- Make sure you’re only working with subcontractors that know and are in compliance with GDPR.
- Hire a Data Protection Officer (DPO). This person will oversee data security, find breaches when they do happen, and be the public face of the company to the authorities.
There is a wealth of information on GDPR, including a more detailed compliance checklist for U.S. companies, on the European Commission’s website.
Advancing Your Business Career
Navigating today’s economy as a businessperson can be difficult, but if you’re up to the challenge, Malone University can help. We offer an online master’s program in Organizational Leadership in Organizational Leadership and an online MBA program, so you can learn at your pace, on your schedule. Programs range from 16 to 30 months, and include classes on leadership, communication, research, ethics, and more. You’ll gain the knowledge to navigate the modern business landscape and learn from people with hands-on knowledge of the workplace.