9 May, 2018
The statistics are shocking: GDPR is going into effect and “99% of U.S.-based privacy professional believe they need help preparing” for the new regulations.
The General Data Protection Regulation (GDPR) is a set of laws that will be implemented in the European Union on May 25, 2018. The regulation protects the privacy of all citizens of the EU, aiming to give individuals control over their personal data, how it is used, and how it is shared. Although the GDPR will only be enacted in the EU, its reach extends globally—to any business that has a European customer base.
The new regulation should be familiar to global businesses who already deal with a variety of privacy laws. In the United States, data protection laws can vary from state to state, requiring businesses to comply with many different regulations. In a way, the GDPR is advantageous to companies, as it requires the same data protections for all 28 EU states.
How U.S. companies are preparing
In the months leading up to the May implementation date, U.S. businesses began preparations by doing internal audits and assessments of their data protection standards. U.S. companies should be—and most are—taking the new regulations seriously.
For example, U.S. companies must abide by GDPR guidelines when explicitly targeting EU citizens for online marketing and web-based interactions. These interactions that retrieve data should be adjusted “to obtain explicit consumer consent” that is “freely given, specific, informed, and unambiguous.”
That means prominent consent forms, transparent language, and no separate links to “terms and conditions” pages filled with legalese. Once data is collected, companies must continue to follow GDPR standards to ensure the protection of EU citizens. For companies already following stringent data security standards, the additional regulation should not be an issue.
However, the 72-hour breach notification could be problematic for businesses with underdeveloped IT departments. If data is compromised, IT groups will need to expedite their analysis of the breach and make proper notifications in a very short window of time.
While there are still questions about how the new regulations will be enforced, the EU is taking its citizens’ privacy rights seriously, and U.S. businesses should follow suit.