From our good friends at RPS: The European Union has enacted a comprehensive and far-reaching data privacy initiative, (GDPR). It contains massive penalties for noncompliance and is set to go into effect soon.
What do the initials "GDPR" stand for?
"General Data Protection Regulation" (www.eugdpr.org)
My Clients are all based in the United States. Do we care about this?
Yes. Even if the company does not have a business in the EU, the regulation can apply if:
- The business offers goods or services to EU subjects regardless of whether payment is required.
- The business monitors the behavior of EU subjects. (Clicking on social media links, analyzing marketing likes/dislikes)
- The business stores and holds the personal data of EU subjects.
Can you give me a quick idea of what this new law is about?
The GDPR unifies data protection laws for “Personal Data” across the European Union with the intention of strengthening privacy rights of consumers. It imposes hefty fines on companies that don’t comply. The GDPR has many requirements, but here are the primary ones:
The personal data you collect must be "minimized, accurate and portable".
You need to obtain informed consent from a EU consumer before collecting, storing or using their personal data.
Their personal data must be “provably deleted” if the consumer so chooses.
What does the new law consider "Personal Data"?
- Email Address
- Financial information
- Healthcare information
- The law also includes data that could indirectly identify an individual (racial or ethnic origin, political opinions, religious beliefs, etc.)
Who is affected?
Any US business that offers goods or services to customers in the European Union or holds any personal data on European Union subjects.
When does this new law take effect?
May 25, 2018
What does GDPR say a business must do if they are the victim of a data breach?
The GDPR requires that companies notify individuals of a breach of their personal data. Notification must include:
- The name and contact information of the company’s data protection officer
- The anticipated consequences of the breach
- Any measures taken by the company to remedy or mitigate the breach
What are the penalties if a US business doesn’t comply with GDPR?
Monetary penalty is 20 Million Euros or 4% of a company’s annual revenue, whichever is greater.
What should US businesses do now?
Here is a great resource: www.dacbeachcroft.com And - if your client has not purchased a comprehensive Cyber Liability policy for their business, they should be doing so now. If they have purchased Cyber Liability, please ensure that the carrier is covering GDPR fines/penalties.