The Global Data Protection Regulation (GDPR) is coming and it will affect USA Based Businesses as well.
Starting May 25, 2018, the most talked about Data Protection Law, The General Data Protection Regulation, will bring the most significant change to European data security. It is the greatest data protection revolution in the past 20 years.
And, of course, an EU-based organization or MNC that does business in the EU has to comply with the GDPR.
But what about the U.S. enterprises that don’t have any direct business operations in any of the EU member countries. They must have no concern, right?
Well, that is not true!
A USA-based company that exists on the internet and markets their products over the web are also affected.
GDPR is a directive in EU law on data protection and privacy for all entities within the EU. It is proposed to offer guidelines to businesses for shielding customer data and offer extra protection for consumers when it comes to recognizing information. The export of personal data outside the EU is addressed. The GDPR mainly aims to empower citizens and residents over their personal data, and provides efficiency and smooth-running of the regulatory environment for international business by amalgamating the regulation within the EU.
The new directive on data protection will make businesses take that additional leap to protect consumer data. This data comprises information that can be used in an individual’s identification.
This regulation protects information like:
Social media posts
Cookies collected from a digital visit
Fundamentally, if it can be used to recognize a person, so it has to be protected.
A business falls under the purview of the GDPR, if it has business operations with any citizens of the EU. This also comprises any businesses that function in the Cloud. The GDPR shields any nation of the EU, irrespective of where that customer does business or where the company is actually located. For instance, if a business is based in the United States but it sells to European citizens on any level, then it must comply with GDPR as well as PCI standards.
As per the EU GDPR website, any company which does business with a citizen of the EU has to be equipped for deviations concerning:
Companies must be able to provide information to their customers which explains the whereabouts of their personal data, like where it is being processed and what the purpose is. This information must be provided to customers in a digital format and free of cost.
Businesses involved profoundly in dealing with a large number of customer data or those that deal with a special type of data will have to employ a Data Protection Officer (DPO) to administer all data protection policies and practices.
This entails that businesses provide consumers with their data and allow them to give it to another company.
Consumer consent must be provided before any identifying information can be used or treated in any way. Any form demanding approval must be easily understandable and easy to locate. The new data protection regulations will need that permission for customer information be written in a comprehensible language, i.e., there should be no jargon or complication with legal terminology. And it should be easy for customers to withdraw consent at any point in time.
The GDPR allows citizens the right to “be forgotten.” This means that businesses need to delete any data at the request of customers that is not important to the initial processing purpose.
The new GDPR insists that privacy measures be combined into the design of the infrastructure. Some businesses will be required to refit existing technology to meet the privacy mandates.
Businesses will have 72 hours to inform customers of a data breach under the GDPR.
A business found to be in violation can be fined for up to 4 percent of “annual global turnover” or 20 million Euros, whichever amount is the highest. For minor offenses, a business may be fined less.
While the new GDPR will offer long-drawn-out protections for consumers, it may demand that we make necessary changes to our processes and systems to comply.
Contact us to find out how we can help you get ready for operating business under the GDPR.
We can provide help related to GDPR for the following eCommerce platforms