The European Union’s data protection regulation, known as GDPR, is set to go into effect. While many businesses in the EU have been readying themselves for this regulation change, U.S. businesses that provide payments and other services in the EU may not be as prepared.
The GDPR, which goes into effect on May 25, governs the collection of personal data or behavioral information from people who are in the EU. Given the global and virtual nature of business in the internet era, it is often difficult to establish where a customer or potential customer resides at the point that they consume the service. It is this that makes the GDPR applicable to American businesses.
The purpose of the GDPR is to force businesses to be transparent and careful while processing personal information when providing services in the EU, regardless of where the information is processed or whether the data subject is a citizen. The type of information protected under this legislation is broad: identity, contact, banking, medical, employment, education. The definition of processing is also broad — anything from collecting, storing, using and sharing.
A research report released by the cybersecurity specialist Trend Micro in September shows that 95% of global business leaders surveyed know they need to comply with the GDPR. Worryingly, however, the analyst house Gartner Inc. is predicting that fewer than half of businesses will be fully compliant with the GDPR by the end of 2018.
The reason for this low level of compliance? Executives are unaware that even if the business is located in the U.S., it’s where the service is delivered that determines this regulation applies. They may also be unclear on what personally identifiable information needs to be protected.
For example, 64% of those surveyed by Trend Micro were unaware that date of birth constitutes personally identifiable information. A further 42% wouldn’t classify email marketing databases, 32% physical addresses and 21% a customer’s email address, as protected information. All of these are personal identifiers and failure to protect them could result in a fine of up to 4% of annual global turnover or $24.4 million (€20 million), whichever is the larger, for breaching the regulations in the GDPR.
If your business sends email marketing communications that may result in a service being delivered in the EU, then the safest approach is to plan as if the GDPR does apply to you and take steps to comply. Likewise if you collect personal data as part of a marketing survey and the respondent could be in the EU.
Complying includes ensuring you have opt-in consent from everyone you send email marketing to, that you have that consent on record, and can show what they agreed to receive. You also need to ensure that any personally identifiable data you hold is adequately protected from data breaches, whether accidental or criminal. If there is a breach, you may need to comply with the GDPR rule that an EU regulator or "supervising authority" needs to be informed of a breach within 72 hours of finding the breach. The GDPR lays out the parameters that define whether or not a breach needs to be reported including whether the breach of personally identifiable data will place the rights and freedoms of EU citizens at risk. If that risk is high, the data subjects themselves need to be notified as well.
Relying on consent as the legal basis for processing information is just one of the reasons allowed under the GDPR. If you are already providing a service to an individual, and the legal reason for processing their information could be "legitimate interest" or "contractual obligation," then consent is not required for the purposes of that processing. However, if you want to use that personal information for a different reason, you would have to get consent.
GDPR compliance is a complicated and multifaceted matter that merits expert attention from both legal and technology experts to ascertain just how much at risk you are and how securely your data is protected. Questions of enforcement are still being answered, as well, but nevertheless, U.S. companies (and those with a strong web presence, in particular) need to evaluate their risk and take steps to comply with the GDPR, if need be. The penalty for noncompliance is high.