On Friday, May 25th, the General Data Protection Regulation (GDPR) becomes enforceable. The GDPR is the EU law governing the protection and privacy of personal data for all people within the EU. Key elements of the regulations included in GDPR are:
- The right to be forgotten
- Consent for storage and use of consumer data
- Strict breach notification timetables
The requirement that data collection and use be clearly and openly stated (as opposed to buried on page 15 of an EULA or T&C document).
Now that the due date is approaching, many U.S. companies are wondering if GDPR applies to them. Unfortunately, the answer is “It depends.”. Included in the scope of the GDPR are all companies that hold, process or use the personal data of EU residents. Even if those companies are not located within the EU. If you store, process or use the personal data of an EU resident, -even just a name- then according to EU law you must be compliant.
Even if you think you do not store, process or use the personal information of an EU resident, your website or marketing automation platform might. You need to be GDPR compliant If your website:
- Specifically targets residents of the EU by language or referencing EU specific products or services
- Has visitors who are residents of the EU
- Collects personally identifiable information (PII) about your website visitors
For example, if you sell tractors, have a website translated to German, require website visitors to register before accessing a whitepaper on that website, and German visitors are registering and downloading the whitepaper, then you must be GDPR compliant.
While GDPR includes specific requirements and regulations, the intent is to get companies to shift their thinking as opposed to just checking boxes. Currently, companies collect as much consumer information as possible. Some data is intended for immediate use, in marketing campaigns, for example, other data is being stored just in case the company thinks of a way to use it. Companies have operated with the mindset that they own all data they can collect and have no responsibility to the person whose data was collected. GDPR is an attempt to shift this mindset to one where the consumer always has absolute ownership of their data. Companies can only use the data if the consumer allows and only in the specific ways the consumer allows.
GDPR regulations are extensive, and applicability should be decided on a case-by-case basis. We recommend reviewing the data your organization has collected and, if there is any risk that you have personal data belonging to an EU resident, begin taking steps to becoming GDPR compliant. If you need help understanding how GDPR affects your technology decisions, call us at 303.757.0779.