On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect in the European Union. Although these protections are designed to protect the personal data for individuals located in the EU, U.S. businesses are going to be affected by these GDPR compliance, too. Simply put, if you collect, process, or store the personal information of anyone located in the EU, not following these regulations will prove costly to your business.
GDPR Compliance and You: The Rules You Need to Know
Most corporations that collect large amounts of data and do business in Europe are already aware of the regulations, and are taking steps to comply with them, but possibly not as comprehensive as they should be. Many smaller corporations, that only do a limited amount of business with European customers, may not be as aware of the new requirements and the strict protections that are being put into place for personal data. Even if you only have a few contracts with EU customers, the GDPR will apply to you, so you need to understand your responsibilities when it comes to data protection.
Under the terms of the GDPR, the new rules apply to any business involved in the processing of “personal data,” which is defined as “Any data relating to an identified or identifiable natural person.” This is a deliberately broad definition, and even encompasses information that may not directly identify an individual, but that can lead to his or her identification, such as an IP address. In terms of your business, you are bound under the GDPR rules if:
- You have an established business presence in the EU, even if you don’t actually process data there
- You monitor the behavior of data subjects located in the EU
- You offer goods and services to customers in the EU, even if you are located outside the EU
In other words, basically if you do business with people in the EU, regardless of where you are located, you have to follow the rules.
So, what are the rules you need to follow? The GDPR outlines several new data protection rules, including stricter rules regarding consent for data to be collected and used. Individuals also have the “right to be forgotten,” meaning that if they request for their data to be deleted, companies must comply.
Although these rules are important, there are some aspects of the GDPR that are more likely to be of concern to U.S.-based businesses. Among them:
- Data must be protected under the GDPR rules. These are, thankfully, similar to most of the standard security rules in the U.S., such as PCI DSS, and should not represent a significant burden to most companies.
- A 72-hour breach notification rule. If an “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” occurs, your company has 72 hours to notify regulators of the breach if it poses a “risk to the rights and freedoms” of EU citizens. If the breach contains a high risk to privacy and property rights, such as credit card numbers, then you must notify the affected parties as well. Fines for not reporting breaches begin at 2 percent of global revenue.
- The rules for marketing are becoming more complex. The GDPR covers businesses that target their marketing to EU customers. That is, if a website is in the native language of the country and refers to the EU or EU customers, then it is considered targeted marketing and visitors are covered under the GDPR. If an EU customer happens to find a U.S.-based webpage that isn’t targeted to EU customers, then that person is not covered under the GDPR.
These are the rules that are most likely to affect U.S.-based businesses. Experts predict that the businesses most likely to be impacted by the GDPR are those in the travel, hospitality, e-commerce, and software industries. Even if you aren’t in those industries, though, and you have contracts with EU-based customers, you need to prepare now.
Getting Ready for GDPR with Contract Management
Time has run out for businesses to get ready for the GDPR – it’s finally here. Now, you need to determine what personal information you have that’s covered under the GDPR, and take steps to protect it. This includes analyzing your contracts, and not only identifying any information that needs to be protected, but also those contracts that are out of compliance and need to be amended. You also need to develop a system for maintaining insight into all your contracts and your risk, so you can make smarter decisions and avoid costly errors. The best way to do this is via a contract management platform like Exari, which includes powerful tools to quickly provide insight into your existing contracts and a streamlined process for revising and storing contracts.
GDPR compliance doesn’t have to be a major headache. Exari Contracts™ can ease the burden, freeing you up to grow your business. To learn more about how it all works, click here to read our free eBook.