Do You Need to Be Concerned About the GDPR Deadline?

With the May 25th deadline for GDPR (General Data Protection Regulation) compliance looming, many businesses are left wondering if they will need to do anything to make sure they will be safe from the consequences of non-compliance. Even if your business is based in the US, and the majority of your customers are US based, you still may have some things to worry about. According to Forbes, any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web will need to verify compliance with the restrictions.

Do I Need To Comply?

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone who is currently browsing from an EU country, your company is subject to the requirements of the GDPR. The restrictions do NOT apply to an EU citizen who is currently in the US. Secondly, the restrictions apply if you are currently marketing to EU customers. If I create an ad targeted to people in Germany, the data I collect would certainly be subject to GDPR. However, just having a website that is US-based, and is targeted to US-based customers would not subject me to the EU restrictions.

Another example, if a resident of Germany stumbles upon my website, it does not necessarily mean I am subject to GDPR restrictions. If, however, your website pursues EU residents – accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company. Likewise, if your company is engaged in monitoring the behavior of EU residents (e.g.tracking and collecting information about EU users to predict their online behavior), the GDPR likely will apply to your company.

What are the Requirements?

If the regulation does apply to your company, what do you need to do to ensure compliance?

The GDPR requires that companies:

  • Obtain the consent of subjects for data processing
  • Anonymize collected data to protect privacy
  • Provide data breach notifications within 72 hours
  • Safely handle the transfer of data across borders
  • Appoint a data protection officer to oversee GDPR compliance

According to Digital Guardian, simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data. While some of the restrictions may be a little over the top, the majority of them are fairly common sense and generally good business practices.

Should I Comply Anyway?

While your company may not be required to comply with these new restrictions, it may be a good idea to follow the compliance rules anyway. The general public is becoming increasingly worried about data privacy, as evidenced by the Facebook/Cambridge Analytica scandal. If your company becomes responsible for private data being compromised, you may not be fined by the GDPR, but your company will certainly suffer in the headlines across the US.