What U.S. Businesses Need to Know About the General Data Protection Regulations
California pioneered the world of data security when the state passed a law in 2003 requiring mandatory data breach notifications. Since then, SB1386 has been a standard bearer for technology companies and protecting their customers’ privacy online.
On May 25, U.S. multinational companies will have an additional set of standards to fall into compliance with — the European Union’s General Data Protection Regulations (GDPR).
The GDPR guards the personal data of all E.U. citizens. Companies that fail to comply by the May 25 deadline may face penalties.
While these regulations are enforced by the E.U., they impact the way personal data is handled around the world – including with many U.S. multinational corporations.
Who GDPR Impacts
The new data security regulations apply to all E.U. member states, but it goes well beyond that.
GDPR specifically applies to any company that markets goods and services to E.U. residents. In addition, the regulations protect the data of all E.U. residents, regardless of where in the world the data is processed.
This means GDPR will have a direct impact on any U.S. companies conducting business in Europe, or who handle the data of people residing in the E.U.
For multinational companies without an office in the E.U., the regulations will still apply.
However, because GDPR is entirely unprecedented, the true impact of these regulations will only be seen once they are in effect.
What GDPR May Mean for Your Company
The GDPR contain 11 chapters and 91 articles. It’s a hefty amount of reading, but highly important for businesses handling the data of E.U. residents.
One significant change is the scope of the information covered.
The GDPR gives a broader definition of personal data than anything used in the U.S.
For example, in GDPR, personal data means any information that can be used to identify a person.
This encompasses a wide host of information including IP addresses, social media posts, cookie strings or mobile device IDs.
Here are a few potential compliance changes your company may need to make:
- Personal consent for data processing
- Making data anonymous to protect personal privacy
- The appointment of a data protection officer to oversee the company’s data policy
Primary Differences Between GDPR and Current U.S. Standards
What Constitutes a Data Breach
In the U.S., a data breach occurs with the acquisition of a limited set of sensitive data including social security numbers or credit card information.
A data breach is much broader under the GDPR and includes the accidental or unlawful destruction, loss, unauthorized disclosure of or access to personal data.
Personal data is also widely defined as anything associated with a living individual, such as the data examples listed above.
Threshold for Reporting a Breach
While the threshold for a breach of personal data is much higher with the new European standards, requirements for reporting are not.
Only breaches that pose a risk to residents’ rights and freedoms must be reported according to the GDPR.
Changes to Notifications
For data breach notifications, the GDPR also includes changes to the recipients, timing, and content required.
Companies must notify the lead Data Protection Agency in cases where residents’ rights and freedoms may be impacted.
In most cases, the company has 72 hours from the time they became aware of the breach to make the notifications.
The notifications must include the nature of the data categories compromised, the number of subjects impacted, the name of the company’s data protection officer, contact information for individuals to follow up, likely consequences for the individual, and any measures that can be taken to reduce risk.
Following a Breach
While many U.S. companies who experience a data breach include a review process for continuous improvement, it’s not currently mandated.
The GDPR will require breached companies to document aspects related to the breach and how the incident was handled to prevent a recurrence.
Penalties
Failure to comply with the GDPR can bring significant fines and penalties. In the worse cases, it can be up to four percent of the company’s global revenue or €20 million, whichever is higher.
Start Implementing Changes Now
Don’t wait until it’s too late for your business.
It’s common for mobile applications and websites to collect these elements of personal data as part of their everyday function – especially when we look at the expanded GDPR definitions.
If you have further questions about how GDPR may impact your digital presence or your business, contact Praxent today!