Our websites are global, our e-commerce offerings reach customers around the world, our Internet radio broadcasts elicit responses from listeners around the globe and our consultants often hail from London to New Delhi.
Whether people pay us, whether we pay them, or whether we just correspond with people interested in our products, services and programs, we often exchange personal data that includes email addresses, phone numbers, and physical addresses. This personal data is increasingly protected by regulations around the world, especially when it is collected online. Nowhere is this regulation more stringent than in Europe.
In just six months, new European privacy regulations, called the General Data Protection Rules (GDPR) will take effect, with large new fines and a strong European Union (EU) commitment to enforcement. This new law fundamentally increases protection of personal data and its reach extends far beyond the borders of the EU. Companies all over the world are preparing for the change. Are you?
This blog post provides an overview of the new GDPR, suggests steps which companies might take to better understand and stay on the right side of these rules (including by “self-certifying” your company’s compliance) and provides some U.S.-based resources in the form of the websites of the Department of Commerce and U.S. Better Business Bureau. For those who collect personal data from citizens in EU countries, the time to act is now.
EU Data Protection Law in a Nutshell
Europe has a different type of protection for personal data then the U.S. For instance, U.S.-based data privacy laws are sectoral: we protect an individual’s health data, financial data and even individual movie rentals. Due to the abusive use of personal data collected before and during WWII, European countries have taken a much harder line than the U.S. when it comes to private collection of personal data. As one of the first laws of the then-new European Union, the Data Protection Directive was passed in 1995 and created a comprehensive data protection law for Europe. All personal data of European individuals is broadly protected and controlled over that data, which rests with the individual and includes: (1) a right to review the data, and correct as appropriate, and (2) a right to consent to “secondary uses” of the data, including whether or not the data may be shared or sold to third parties for purposes unrelated to the original purchase or service.
In 2016, European lawmakers went one giant step further. The EU created a stronger set of data privacy laws designed to further harmonize the data protection laws of the region and better correlate them to 21st century technologies. Now this law, the GDPR, is shaking up the way companies around the world collect, process, retain, share and delete personal data collected from European citizens. Every company working with data flows from Europe should be closely reviewing their data policies, procedures and processing to see if their compliance is required.