On May 25, the European Union's (EU) General Data Protection Regulation (GDPR) will go into effect. But what does this mean for U.S. businesses?
Designed to strengthen data protection regulations within the EU, the GDPR gives EU residents greater control over how their personal data is collected, processed, shared, and stored.
While the GDPR is an EU-based directive, many U.S. businesses will be affected, as the regulation applies to any organization that handles the personal data of citizens residing in the EU when their data is collected.
To ensure compliance, and to avoid potentially heavy fines, U.S. companies need to recognize three critical ways in which GDPR will impact their business and customers.
1) Online marketing forms must obtain explicit consumer consent
According to the GDPR, consent to collect personal data must be "freely given, specific, informed and unambiguous, so simply asking consumers to agree to a lengthy terms and conditions document won't work anymore. Companies will also need to obtain permission for each type of processing done on personal data, meaning email promotions or sharing with third-party affiliates will require separate consent checkboxes.
2) Once data is collected, 72-hour breach notification is required
Under the GDPR, if a data breach occurs, U.S. companies will need to identify if the breach involved EU residents' data and determine if the exposure of the data can cause "risk to the rights and freedoms of the EU residents. A large exposure of sensitive data (e.g. medical or financial information, or identifiers associated with children) will require notifying an EU regulator within 72 hours. In instances of high risk to fundamental property and privacy rights (e.g. credit card numbers or account passwords), the impacted EU citizens themselves will also need to be notified.
3) Failing to comply with GDPR will involve steep fines
According to Article 83, GDPR infringements can lead to fines of up to 20 million euros or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever figure is higher. Failing to report a data breach to an EU regulator within 72 hours could cost companies 2 percent of global revenue.
What types of U.S. businesses might be impacted?
U.S. hospitality, travel, software services, and e-commerce businesses stand to face the most drastic changes under the GDPR. However, any U.S. company with an EU market presence and localized web content should carefully review their online operations, as the financial and reputational costs of non-compliance are far too high.
With the implementation of the GDPR, the only way to completely protect your organization is to make sure it has the business insurance it needs, as well as embracing the fact that your business's most valuable asset is your data. To fully secure their data, U.S. businesses, big and small, need to adopt cybersecurity best practices, implement security measures, and cover themselves and their customers with cyber insurance. Refer to our GDPR checklist to learn more about how to prepare your business.