May 25th is nearly here and if you do business online than you probably have heard GDPR being spoken about. So what is it and does this apply to everyone? The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive which was designed to harmonize data privacy laws across Europe. This law empowers all EU citizens data privacy and reshapes the way organizations across the region approach data privacy.
Does this apply to us in the United States, short answer is not as easy as a yes or no. According to eugdpr.org the answer is yes IF, “You offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Keep in mind that if your business only deals with local customers and nothing international like European consumers than you can ignore this. However, everyone should be aware that the GDPR is more about protecting consumer privacy so companies that conduct business online might want to use this as a reason to reevaluate whether their system is properly protecting their client’s data.
So, what happens if you are conducting business in a European country but have a data breach? If you are found to be in non-compliance you can be fined up to 4% of annual global turnover or $23921020 (€20 million as of 5/12/2018). This is stated as the highest penalty a company could receive for not having sufficient customer consent to process data or be in violation of the core Privacy by Design concepts.
Depending on your style of business will determine whether you will find yourself forced into compliance. Cherry Host is based in the United States, but we have become GDPR compliant just, so our European clients are properly accommodated. The GDPR is a more stringent protection of personal data and we found ourselves either getting in compliance or losing an entire group of people which is unacceptable.