GDPR: 4 Things Your Organization Must Know About New Internet Privacy Rules
GDPR, or General Data Privacy Regulation, is sweeping new legislation—passed by the European Union and going into effect on May 25, 2018—that has implications for American organizations.
Here are the four things you need to know to make sure you’re complying with GDPR:
1. GDPR is the Biggest Update to Internet Privacy Laws in a Generation
GDPR contains several modern updates to how personal data is handled online—including:
- Personal data isn’t territorial anymore. If you handle data of European subjects, GDPR applies.
- “Personal data” now includes any data that can be attributed to a specific, human user.
- Users are given the right to update and correct their personal information.
- Users must be notified, explicitly and often, about anything related to how their personal data is used, processed, and shared. This is the “consent” part of GDPR.
- Users have the right to erase all of their data from your system—aka, the “right to be forgotten.”
2. GDPR Extends Globally—Including the U.S.
Before GDPR, the geography of privacy laws was murky. For example, if the data of EU citizens was stored/processed outside of the EU, the EU regulations didn’t apply. (Except when they did: GDPR is a response to a number of high-profile Internet privacy court cases across Europe.)
GDPR says that the data of EU citizens must adhere to the law regardless of where the data is being stored/processed.
If your organization collects, stores, or handles data from Europe, GDPR applies.
3. Penalties Are (Very, Very) Stiff
If you violate GDPR, fines can total up to:
- 4% of annual global revenue
- $20 million
… whichever is greater. While these limits are for the most egregious violations of GDPR, it suggests that even minor violations can be financially troublesome. The EU isn’t joking around: GDPR could become very costly for plenty of organizations.
4. You May Need to Hire Someone New
If you do significant handling and collection of the data of EU “data entities” (aka, users), you may need to hire a Data Processing Officer (DPO). A Data Processing Officer is only required of public entities, along with any organization that requires “regular and systematic monitoring of (EU) data subjects.”
For example, global nonprofits that fundraise in the EU may need to hire a DPO to collect, maintain, and report on data collection and processing activities.
How to Comply
GDPR is just unfolding now, in the spring of 2018, and there are plenty of things yet to learn. Surely organizations will have to adapt and iterate to ensure they’re adhering to GDPR’s principles. Time will tell us much.
But what we can help with, right now, is performing a technology audit for your organization—helping you understand, in clear and concrete terms, how your online data handling may (or may) not run afoul of GDPR. (And even if GDPR doesn’t apply to your organization, you probably need a good inventory of your potential privacy pitfalls.)
Ultimately, GDPR is a good thing—a powerful new step in protecting all of our personal data and returning power to us, the individuals who live so much of our lives online. But how it all plays out will depend largely on the organizations and businesses that take user privacy seriously.
Note About This Article
We are not attorneys, and we’re not experts on the intricacies of the GDPR. We offer this article for informational purposes. To learn more, check out the links below.
