The European Union has passed a new privacy law called the General Data Protection Regulation and it goes into effect in May of 2018.
For companies that do not do business or have customers in Europe, this regulation may not effect you. However, if you have customers in Europe, even if you do not have offices in Europe, you are still bound by the regulation.
There are a number of things about the regulation that are very different than the way U.S. companies treat your data and mine.
What is unclear is whether multi-national companies will operate differently in different countries.
For example under GDPR, a company has to get express permission to collect, store, use and transfer data that they have about you. Will Facebook, for example, have a different user agreement for customers in Europe than in the United States? This is still unclear, but given their appetite for stealing our data, it would not surprise me if they did treat the two groups of users differently.
On the other hand, for smaller companies who do not make a lot of money from your data, it may be easier to treat everyone uniformly.
Other requirements of the regulation include –
- Companies must report breaches within 72 hours of realizing it. In the U.S., things are much looser. You must report breaches sorta, kinda, reasonably quickly. In many states what that means is undefined. In other states it might be 30 to 90 days. It is not 72 hours in any state for a general business. Effective January 1, 2018, defense contractors will have to report breaches to the DoD within 72 hours and financial institutions in New York will have the same reporting requirement with a bunch of exceptions, but those two groups represent a tiny percentage of the total population of businesses.
- The definition of personal data is way broader than any definition in the U.S. For example, the Internet address (IP address) you are using is considered personal data. So is your genetics.
- Probably the biggest change is the potential fines. The EU could fine a company up to 20 million Euros or 4 percent of their annual global revenue, WHICHEVER IS GREATER. For a large company, that could be billions of dollars. For a small company, the fine alone could bankrupt the company.
In addition, there are a number of other conditions that the law requires.
There are plenty of businesses in the United States that have European customers and many of them will be totally unprepared for the changes that come about in less than a year.
Obviously, the place for all businesses to start is to inventory what data the company collects, where it is stored, what it is used for, how long it is kept and who it is shared with. That, by itself, is a huge challenge for most businesses. This does not just apply to “corporate”. If some department collects data and doesn’t have the proper consent, the company could be fined. If that department shares the data with a third party and that was not disclosed, again the company could be fined.
This would include data that is stored on laptops, in the cloud and on home PCs. Most companies will not be able to figure that part out.
If you share data with a third party – a vendor or supplier, you have to be able to prove that they are following the rules as well.
For British citizens, even though Great Britain is leaving the E.U., the government says that they are going to implement the same law.
For businesses that are subject to this law and who have not already started planning for this, there is not a lot of time to get caught up. There is a lot of work to be done.
Information for this post came from the BBC.