GDPR is one of the hottest digital news topics in the UK, but don’t think for a second it doesn’t also impact what’s happening here in the U.S.
The rules concerning GDPR are already in play, but it’s the responsibility of every company with an online presence to understand what those rules are, how to play by them, and what happens to those who don’t comply.
GDPR is the acronym for General Data Protection Regulation that was established by the European Union for data protection reform. Initiated in 2012, it wasn’t until four years later than an agreement was reached and plans to pass the reform were put into motion.
In May 2018, GDPR went into full effect. This set of rules is designed to give internet users in the European Union more control over their personal data. GDPR has simplified and standardized data protection law across the 28 countries in the EU. As a result, both businesses and citizens in the EU are able to benefit from the digital economy.
The entire premise of GDPR compliance is to ensure that companies are only collecting data about their users legally. This process includes the following measures:
As of May 25, 2018, companies in the EU or those that do business with EU customers must be compliant with GDPR rules.
Whether you do business inside the EU or with others that are in the EU, GDPR will impact your business, especially when it comes to the technology you use to conduct your operations.
Technology is tasked with leading the charge on handling data and shaping the way businesses are allowed to collect, access, and use customer information. In many cases, your technology providers bear the burden of responsibility when ensuring their products and services are developed for GDPR compliance.
However, technology companies are recognizing their shortage of skilled cyber security specialists and data protection officers that are familiar with how to achieve and maintain GDPR compliance. Moving forward, tech companies will need to invest in increasing staff and training programs to ensure their products and solutions help the companies that use remain within GDPR regulations.
GDPR rules have been effective for months, but governing agencies were allowing a bit of initial leniency while companies made the transition. Still, given the potential fines that could occur, companies don’t want to take any chances.
The maximum penalty for GDPR non-compliance could be as much as €20 million or 4% of the company’s global annual turnover, whichever is greater.
Don’t panic just yet—this astronomical fine isn’t likely to happen with a minor first offense. Written warnings are common for first-time offenders. If you receive a warning, you won’t want to take it lightly, as you aren’t likely to see another one. The next time could be a fine of larger proportions, depending on your company size and revenue.
In a way, GDPR simplified matters for businesses because there is one standard for data protection that applies to all countries in the EU. But GDPR also leaves much room for interpretation, which could leave you vulnerable to non-compliance.
For example, the rules dictate that businesses should provide a “reasonable” level of protection to personal data, but the word “reasonable” isn’t clearly defined. This can give governing bodies plenty of leeway when issuing fines and determining instances of non-compliance.
Companies who use any type of technology to connect with their customers should check with their software and technology vendors to see how they’ve prepared their products for GDPR. Also, it helps to connect with internal IT teams to ensure they understand the rules and risks associated with the new regulations.
Even if you aren’t currently doing business with buyers or businesses in the EU, it’s not a bad idea to ensure compliance anyway. Doing so now will put you in the best possible position to seize an opportunity when it presents itself.