The European Union’s General Data Protection Regulation (GDPR) applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located. The regulation is designed to protect the privacy rights of EU individuals. It was adopted in April 2016 and went into effect May 25, 2018 after a two years transition period.
“International companies must take the new EU norms seriously even when they have no direct EU operations. If not yet implemented, I recommend to begin implementing the necessary technologies, policies, and procedures to ensure compliance as soon as possible”, says Dr Markus Karbaum, General Manager of Dr. Karbaum Consulting. “In a very first step, this requires general information according to GDPR’s Article 13 and a data privacy statement for websites. This is not only binding for companies, but also for any legal entity including non-governmental organizations that collect and process data.”
GDPR applies to all online interactions with EU citizens
The consequences so far are drastic. For example, after coming into effect European users could not access several American websites because the respective host had not had implemented these new regulations. Without a proactive written acceptance, it is also not allowed to send newsletters or generalized special offers to customers or clients. Only the use of data to fulfill an order or to comply with other business related laws, e.g. retention periods for invoices, is still allowed.
“Implementing GDPR has countless consequences for companies. First of all, people are entitled to ask businesses for the information they hold on them –a so-called subject access request – and companies have to provide this within one month and for free”, says Dr Karbaum. A further key principle is that the ownership of personal data is deemed to remain with the individual and not with the data controllers or processors. The GDPR applies to all online interactions with EU citizens irrespective of where in the world the business is taking place. It includes enhanced requirements regarding consent to use, and includes a “right to be forgotten” equal to a removing from the record.
Compliance with the rules will require an extensive mapping exercise. It will allow companies to understand how their data flows. Such an exercise will also show that a firm understands what type of data it has, whether customer or employee personal data or other sensitive data is shared and who has access to it. The company can then determine one’s role in the process as a “data processor” or “controller” under GDPR definitions.
Sitting it out or ignoring the GDPR is not really an option as the enforcement powers are significant. Fines can reach up to 20 million Euros or even higher with four percent of a firm’s global annual revenue per violation.
For further information, please visit https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en.