GDPR is the European Union's General Data Protection Regulation and it has impacts for many businesses that collect data from citizens of the EU. The enforcement of GDPR starts 25 May 2018 or May 25, 2018, for us Americans.
The goal of GDPR is to provide substantially greater security and transparency for personal data collected from EU Citizens. The Internet is overflowing with information on GDPR and luckily there are many companies like Denver DataMan that can help you with a strategy for data collection, security, and monitoring.
What Must be Done?
Consent must be given for the use of data and for how the data can be used. This includes if data can be shared with others and how it can be shared. In GDPR parlance the person the data belongs to is the data controller.
Breach Notification must be completed within 72 hours of first having become aware of the breach. Data processors (those that process but do not necessarily store data) will also be required to notify their customers, “without undue delay” after first becoming aware of a data breach.
The Controller has the Right to Access their data and get a copy of their personal data, free of charge, in an electronic format. This is similar to rights afforded to US citizens under the HIPAA law. The data must also be designed for Data Portability so that citizens may get the data in an electronic usable format that can be reasonably transferred to another place or service.
The Right to be Forgotten is a more controversial issue. It is the right to demand of a company to delete your data.
Privacy must be built into the systems by design. Privacy by design means that from the start of implementing a system development and business decisions are made for the benefit of the data owners rather than just for the needs of the business working with the data.
Who Must Comply?
You must comply with GDPR if actively collecting data from European Citizens. In general,l this means that you are advertising to people in the EU or otherwise making your product or service enticing to people in the EU. Talk to your legal counsel, but from our understanding, if you sell shoes online and someone in the EU buys your shoes their data is not covered by GDPR. However, if you sell "Dutch Clogs" and you have a .nl domain or you have text in Dutch, or your site is specifically set up for Dutch addresses then the data you collect is most probably covered by GDPR. This a great article on the topic.
If you have offices in both the United States and the EU then you probably must comply.
For those who must comply the penalties are very steep if you do not comply. At the highest level of fines, it is 4% of annual global turnover or €20 Million (whichever is greater).
Many companies may choose to participate in the European Union (EU) and the United States Commerce Department Privacy Shield. The Privacy Shield is an agreement between the United States and the Member Nations of the EU to handle data similarly in both the United States and the EU.
DDM Can Help
We are here to help companies understand and model their data. We have partners like business lawyers who can help with the legal end of GDPR compliance.