Most reading this blog will have at least heard of the General Data Protection Regulation (GDPR), the European Union’s (EU) solution to securing and protecting consumer data. This privacy law, many years in the making, took effect on May 25 of 2018 and brings with it a private right of action: The GDPR will bring serious changes in data privacy that will affect anyone who is present in the EU, along with any company that handles the data of EU consumers, which would include companies across the world, including the U.S. The objective is to give consumers control over their data and ensure that everyone has the right to consent to the use of data, to be forgotten, and to limit the use of data and to seek damages (in case a data breach or misuse occurs).
International data security authority, Lorcan Malone, does a nice job of summarizing the impact of the GDPR on U.S. businesses:
“Even if you do not have a business presence in any of the 28 EU member nations, do not assume the GDPR does not apply to you. If your company has an online presence, a website that can be accessed by any person in the world (which you more than likely do), then you need to be very aware of what’s going on with GDPR.
I would tell you not to start worrying immediately, but you should be knowledgeable on the subject so you can prepare yourself and your business.”
For example, third-party debt collectors may fall subject to GDPR requirements if they are hired to collect debt from a consumer who was vacationing or hospitalized in Europe when the debt was incurred. Alternatively, you may have GDPR obligations if you are hired to collect debt incurred in the EU by a European citizen. Both scenarios trigger GDPR liability and in turn your duty to protect the data in compliance with the GDPR.
As you begin that preparation, make sure you know precisely what data you mine, retain, transmit or house from your website. If the data you collect is protected by the GDPR, you must enhance your privacy program to comply with it. If you don’t even know what categories of data you are capturing on your web site, call your IT folks and ask them to conduct an audit – That’s an important step to take for any compliance management operation, even if you have no obligation to comply with the GDPR.
Still confused? There is a plethora of on line resources to help you determine how the regulations apply to your business. MobileIron has prepared a great checklist for your review. Or, for additional information, see how Forbes has outlined why your operation might be affected. Resources like these will at least get you started off on the right foot as you learn more about why this global compliance issue might matter to you.
Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.
© 2018 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.