About the Author: Kellen T. Fish is a partner at KTF Law Firm, where he provides professional legal counsel to individuals and businesses in the Minneapolis area.
There are a lot of questions surrounding the General Data Protection Regulation (GDPR) and its effect on U.S. businesses. The main question business owners have is whether GDPR affects their organization. The short answer is… maybe.
GDPR is a major piece of privacy law from the European Union (EU) that carries significant penalties, including a fee of $20 Million Euro, or up to 4% of a company’s annual revenue, whichever is higher. Its requirements apply to personal data processors within the EU and European Economic Area (EEA), which means it also applies to personal data processors that sell, advertise, or do business with EU residents.
What you need to know is that GDPR extends beyond the typical meaning of the phrase “personal data processing.” It defines personal data as “any information relating to a[n] natural person… directly or indirectly, in particular…a name, an identification number, location data, an online identifier or… physical… mental… cultural or social identi[fier] of that… person.” This means names, addresses, email addresses, physical descriptions, and cultural or social affiliations.
Further, the GDPR defines “processing” as any “collection, recording… storage… use… transmission…[or] destruction.” So, any time you store personal information on your server or a third-party’s server, this is considered processing.
Companies affected by this new regulation include, but are not limited to, the following:
- Technology Providers
- Cloud Service Companies
- Telecom Organizations
- Mobile App Development Companies
- Financial Agencies
Here are four major factors of the GPDR that may affect your business:
Protection Policy—You will need to investigate how your organization handles data breaches and reports them to customers. Under the new regulation, customers need to be notified within 72 hours of a breach.
Individual Consent—You will no longer be able to process any personal data without consent. Email marketing is a great example of this. You will need to prove that an individual agreed to this service, and if they decide to unsubscribe, you must remove them and delete their information.
Chain of Control—If your business is not directly collecting the personal data, but you’re receiving customer information, you’re still liable. For example, if you’re providing ecommerce web design services for a client whose customers include EU residents, you’ll need to follow GDPR requirements.
Privacy by Design—Businesses are required to take proactive steps in their operations to ensure that data is properly collected, processed, managed, and destroyed. Not having a privacy policy, or privacy plan in place, will be an aggravating factor to any fines assessed under the GDPR.
Even if you’re not serving EU customers, it’s important that you examine your organization’s current policy and procedures to ensure all personal data is protected, as this will instill confidence in your customers and bring value to your organization.
This article is not intended to be, nor should it be relied upon, as specific legal advice.
