In the digital age, a significant portion of business and consumer transactions seemingly take place in the digital marketplace. In the wake of recent high-profile data privacy scandals, legislators, regulators, businesses, and consumers have increasingly focused on the manner in which data is collected, processed, and stored. The most visible recent manifestation of this increased focus on data privacy is the rollout of the European Union’s General Data Protection Regulation (GDPR). The GDPR consists of eleven (11) chapters and ninety-one (91) articles that outline the specific requirements and regulations organizations must comply with pertaining to the rights of individuals and their personal data. In order to comply with GDPR, businesses will need to do more than simply update their privacy policies, they will need to evaluate their data collection, processing, and storage operations and implement a risk-based data privacy and security compliance program.
The GDPR, which takes full effect on May 25th, protects data and digital privacy for EU citizens and replaces the Data Protection Directive of 1995 (just think about how different the digital world touches all of us now versus 1995!). The core principle underlying the GDPR is the focus on giving consumers the ability to limit their digital footprint, by regulating the manner in which companies collect, store, and use data.
While many local businesses may question the impact of the GDPR on their data privacy and cybersecurity program, the global marketplace created by the internet creates a nearly inescapable nexus between businesses and consumers in the United States and the EU. Irrespective of the fact that a business is established and operating primarily in the United States, the threshold for GDPR applicability is minute—collecting, processing, or storing the data of a single EU citizen triggers the GDPR’s provisions. Given the significant penalties associated with failure to comply with GDPR mandates, there is no question that U.S.-based companies should carefully review their data privacy and cybersecurity policies and procedures to ensure compliance.
Changes and Implications for American Companies
The most significant change under GDPR is that if any company collects and processes an EU citizen’s private information, that entity is now bound to protect that information and provide a number of services to the individual person to whom the data pertains. When updating their compliance programs, companies will need to take a risk-based approach and allocate resources in a manner that is enterprise-specific. To be sure, there is no one-size-fits-all data privacy and cybersecurity program that will ensure compliance with GDPR (or similar U.S. regulations, for that matter).
There are several critical steps that U.S.-based companies should take to implement a GDPR-compliance data privacy and cybersecurity program. First, under GDPR, companies must inform internet users about what data is being collected, how it’s being used, and how long it will be retained and stored. Of note, websites must implement measure to actively inform users of privacy policies and obtain consent from each user. For many websites, this will require the use of pop-up boxes and/or banners that appear on a website’s landing page.
In addition, companies must allow users to opt out of data collection, storage, and use—basically, the creation of profiling data used for targeted marketing and other purposes. Obviously, sites like Facebook, with a huge chunk of its revenue model devoted to profile data, will see some potential ill effects of opt-out rights. But the cost of compliance pales in comparison to the substantial potential penalties for violations of the GDPR. For non-compliance, entities could face fines as high as 20 million euros or four percent of a company’s annual revenue.
If you are concerned about the incoming GDPR regulations from the EU and how it may affect your business with regard to your website, e-commerce, or other aspects, contact us at the Forrest Firm for a consultation. We may find, based on your unique circumstances, that there’s an appropriate wait-and-see approach that’s advisable or, we may need to discuss actions you can take to stay on the right side of the compliance line.