The Basics: General Data Protection Regulation (GDPR) for USA based companies doing business in the European Union (EU)

On Friday May 25, 2018 the General Data Protection Regulation (GDPR) goes into full effect. If you are a United States based company that has a web presence you should be aware of the new rules to ensure you do not get fined.

What kinds of data collection is part of the GDPR?

-Name

– Photo

– Email address

– Social media post

– Personal medical information

– IP address

– Bank details

For example if you target customers in the UE using their native language such as French and ask for contact information such as name or email in order to: download a white paper, sign up for an enewsletter, ask for a quote, or sell a product/service from someone in the EU you will need to:

– Explain how the information will be used, how long it is being retained, and if it is being shared with any third-parties

– Ask for permission to use the information- do not have a link to your terms and conditions

– Parental consent will be required to process any data relating to children ages 16 and under.

– Appoint a representative in the EU oversee the collection and processing of the information in the cloud and get permission to make the info available to others within your company.

Exception to the rule:

-If a EU based individual searched on Google and finds your English language website for US customers then the rules would not apply.

Penalties for not complying with the GDPR:

– Companies may be required to pay up to 4% of the global turnover or 20 million Euro. Plus, companies maybe fined 2% for not taking measure to properly maintain and secure the data.

-If a data breach occurs the company has 72 hours to notify the data protection agency and inform individuals without “undue delay.”

For more information visit: https://www.eugdpr.org/the-regulation.html