Later this month (May 25th, to be exact), the European Union’s General Data Protection Regulation (GDPR) goes into effect, and, with it, will usher in the single biggest change for data security in history. Some of the more famous provisions of the act are:
The truth is that GDPR regulations apply only to EU citizens, but the reach goes further than Europe. If your company is based in North America, you are not immune from compliance.
First, the obvious. If your company is based in North America, but does business (either direct sales, supply procurement, or even hiring of European citizens for full-time or part-time help) in the EU, you should already be planning or have already implemented steps to comply with GDPR.
Well, it may be obvious, but the fact is, that the statue is a bit vague on who and under what circumstances the act protects. (And, of course, the rules by which companies will be audited and fined have yet to be determined.) Certainly, multinational companies that sell in the EU are bound by the act’s provisions, but more importantly, any company that collects, receives or retains the identities of an EU citizen for any reason will also need to comply with GDPR standards. That means that any personal information of an EU citizen that ends up in your enterprise system for any reason (even if it as simple as a web visitor from Amsterdam browsing your website and downloading a whitepaper) must be protected under the statute.
Data privacy is obviously a huge topic these days and GDPR is the first of what will likely be many laws that will be enacted worldwide to protect the privacy of autonomous citizens.
Even American companies that don’t actively sell in the EU should pay close attention to GDPR for the following reasons:
Fortunately, there are things that you can do to prepare for increased data privacy rules, even if you aren’t subject to GDPR standards immediately.
Here are a couple of links from our trusted partners: