The GDPR and You: How European Law Effects US Businesses

In the increasingly interconnected, global economy we now all participate in, major pieces of legislature in any trade region can have far-reaching effects. In many ways, the internet has blurred borders and nations; you can shop stores based on the opposite side of the world, call on talent that would have otherwise been too far remote, and connect with friends no matter where their travels take them. However, there are cases in which the complexities of international trade do affect businesses.

When news of the European General Data Protection Regulation (GDPR) first hit major news outlets, businesses of all sizes were rightfully concerned. While the goal of the regulation is ideal, regulation roll-outs can always be complicated, and complications are expensive. While larger companies have the resources on hand to hire devoted teams to handle changes like this, small- and medium-sized companies are often left to fare on their own, which can result in costly missteps or mistakes.

We don’t think that any business should have to go it alone in the competitive modern economy, so we’ve put together a guide for medium and small businesses that can help you understand what to expect and adjust now that the GDPR has gone into action. Thankfully, one of the good parts of the GDPR is that, while it is a sweeping revision of the European Union’s approach to data privacy, it is also deliberately very focused and, compared to the previous legislature, much clearer to those looking to understand it.

Part 1 – The Purpose of the GDPR

Possibly the most important part of understanding how the GDPR will affect your business is the understanding of why it was created in the first place. The GDPR represents the culmination of years of legislative refinement across the EU informed by years-past events and current events alike.

The previous data legislation of the EU had not been significantly updated in years, meaning that some oversights and holes had understandably revealed themselves over time. In addition, previous data legislation took the form of EU directives, which, unlike formal regulations, are general suggestions and guidelines that leave the implementation to individual nations. The GDPR is a large-scale piece of law that all EU nations have agreed upon to implement uniformly.

In addition to aging rules, however, the GDPR was also spurred on by a number of high-profile data-related controversies and catastrophes in recent years. The Equifax and Yahoo! data breaches were the harbingers of even more concerning events; the ransomware plague that swept UK hospitals and the revelation of data misuse on the part of Facebook partners were eye-opening in the worst ways. These events served to illustrate further the need for a more modern and competent approach to data regulation, one that would include means of effectively removing personal data, efficiently informing consumers on how their data would be used, and meaningfully securing user consent.

With regard to data breaches, the GDPR was designed with the purpose of requiring prompt notification of affected parties and government officials. The goal was to prevent nations, companies, and individuals from being blindsided by undisclosed data breaches sometimes years after they had occurred. The GDPR also set out to make data breaches less damaging overall.

Part 2 – What the GDPR Establishes

The first change that the GDPR puts into place is that all data policies must be considered strictly “opt-in” by default. Companies cannot simply hold onto data and, instead, must have very clear requests for data sharing consent that include how long the data will be used, how the data will be used, and what data will be used. These consent requests must be in plain language that is reasonably understandable to the average user of the site.

In addition to consent requirements, there are caps on the maximum amount of time any piece of data can be held that vary based on the type of data. This combines with the second major change that the GDPR brings in: The appointment of officials to oversee the usage of data. The EU now has an officer position devoted to ensuring the enforcement and implementation of data protection laws. The “European Commission Data Protection Officer” is tasked with enacting the GDPR by working with nations, companies, and company representatives.

Companies who will be handling large amounts of private data will be required to employ a data officer, as will government agencies and companies in industries that require analysis of personal data. In addition, companies who have attained consent from customers for data will need to store that data securely.

Part 3 – How the GDPR Will Affect Your Business

If you’re doing business with EU citizens, the GDPR affects you; however, the extent to which it will affect your business depends on a lot of factors. If you’re using very little personal data, you’ll likely have very few things to change. Most companies will need to revise their privacy policy and, unfortunately, join the masses of companies sending out swaths of emails requesting opt-ins to their mailing lists (you’ve likely received a few of these yourself already.) Most small companies here in the states already encrypt their data (as they should,) but that will be an absolute if you plan on doing business with EU citizens.

If your company will be working with personal data, you’ll understandably be more affected by the EU’s new data regulations. Thankfully, there are tons of official EU resources available online, which can help you begin the process of hiring a data officer, implementing EU standards for data deletion, and understanding whom you can reach out to for more information and guidance.

It’s essential to do in-depth research as soon as possible, though, since the sanctions for ignoring the regulations can be somewhat severe. For first offenses and unintentional noncompliance, you’ll only receive a written warning from EU authorities. However, if your company doesn’t make a good faith effort to proceed into compliance in EU transactions, you can get hit with fines of up to 2% of your worldwide profits. With that in mind, it’s worth making GDPR compliance a priority.

The good news about the GDPR is that it’s ultimately going to make business better all around. Interactions with customers will be more accurate, more impactful, and built on a more trusting foundation. While the GDPR adds some complication to the use of data by companies, it also ensures that your company and your employees are equally protected from data misuse or negligence. The uniformity of the regulation can be seen as the EU taking a stand against malicious agents who would capitalize on lax or incomplete data policies. In the end, though, the GDPR is likely to strengthen the marketplace and give peace of mind to businesspeople and consumers alike.