If you’re even scanning this line, the odds are good that you’re thinking, “I don’t have to worry about GDPR; that’s for European companies.” That sentiment explains why a May 2017 Gartner study found that more than half of companies covered by the regulation will be non-compliant by the end of 2018.
The European General Data Protection Regulation (GDPR) replaces a country-by-country patchwork of laws covering how companies are required to handle European Union (EU) residents’ personal data. It applies to any business that collects, stores or processes the information of EU residents, regardless of whether that business is geographically located only in the U.S., or anywhere outside of the EU.
That’s anyone who resides in the EU—even if they’re not an EU citizen.
The law went into effect in 2016, and companies were given two years to comply. The deadline for compliance is May 25, 2018. Fines for non-compliance are severe: Up to 20 million euros, or 4% of a company’s prior year worldwide revenue, whichever is higher.
To determine if your company needs to be GDPR-compliant one year from now, there are three questions you can ask:
1) Does my company offer goods or services to EU residents?
You don’t necessarily need to offer goods or services in the EU – regardless of whether a transaction occurs; just offering them to someone who lives there is sufficient. Even if your company is based in the U.S., but offers goods or services via a website that collects any personal data of an EU resident, that company falls within the purview of the GDPR.
2) Does my company monitor the behavior of EU residents?
“Monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to analyze or predict personal preferences, behaviors and attitudes. This would cover most social media sites and many apps as well as any predictive analytics of behaviors used for marketing purposes. For example, any company that sells wearable technology or incorporates artificial intelligence or machine learning should be paying attention to the GDPR.
3) Does my company have any employees in the EU?
This sounds clear-cut, but you may run into some uncertainty upon closer examination. For example, your company might not employ any EU citizens outright. However, if one of your employees currently resides in the EU, then your company needs to be GDPR compliant, even if that employee is a U.S. citizen.
Determining if and how GDPR impacts your company can be a challenge, but this is where you can gain insight by working with a firm such as Primitive Logic. Primitive Logic has a 30-year history of solving enterprise data management, data security and data compliance challenges for our clients. We understand your business and how it uses data, so we can implement an information management strategy that improves data acquisition, integration, governance, and distribution. We have been performing data protection assessments and compliance recommendations with varying international standards well before the enactment of the GDPR, and now have a robust process for preparing clients for any necessary GDPR remediation. If you need to assess your company’s readiness for this major regulatory requirement, let us know.