GDPR Compliance – What’s it mean for companies outside of Europe
There are many companies outside of Europe that do little to no business directly. We’re in that boat. For those who may not be in Europe; may not be totally aware what GDPR compliance could mean for them. Plenty has been written about it and how it’ll affect Europe; however there as been a lot less on how non-European businesses will be impacted by the new laws. We’re going to outline some information below to help.
What is GDPR?
The General Data Protection Regulation (GDPR) is a law around data protection and privacy within the European Union (EU). Originally adopted in April 2016; with an adaption period of two years. Consequently; the laws go into enforcement on 25th May, 2018. The aim of the laws is to give citizens and residents control over the data they provide to businesses.
Anything around personally identifiable data comes under these new laws. As a result; this includes collecting, processing, using, retaining and even deleting the data.
What exactly does this mean for business outside of Europe?
While it may not be so obvious; these laws will be affect non-European companies. Anyone seen as dealing with European based businesses, residents or citizens have a duty to comply. Regardless of their geographical location.
If you have a single European based client or in the case of a B2C business – a customer; then failure to comply could cause heavy penalties (see Compliance Penalties below).
The GDPR penalties for non-compliance come in two forms; based on the seriousness of the issue. Basically:
- For lesser offenses; the penalty is the higher amount of €10 million or 2% of annual global turnover of the previous year.
- For non-compliance; the higher amount of 4% of annual global turnover or €20 million of the previous year.
An example that would attract the lesser penalty would be failure to correctly report a breach within 72 hours of discovery.
A ‘weak’ password could be enough to become non-compliant to GDPR.
These kinds of figures are enough to set even the most robust business back. The official documentation of fines and penalties can be found here.
How to go about complying with GDPR?
While it seems that becoming GDPR compliant could be a large task; it’s fairly simple to break down into key areas to focus on.
Consent: If intending to forward client data to a third party; explicit consent must be provided by the client/user. Consent can be provided by the user by agreeing by ticking a box within your signup process or a letter/e-mail specifically written to your company.
Data Minimisation: Basically this comes down to collecting data only relevant to your purposes. If you’re selling soap to clients; there isn’t any reason to store what type of car they own. They’re not related in any way.
Right of Access: A client or customer is able to request a copy of all the data you keep on file for them.
Right to be forgotten/erased: A client can request that personal data is deleted. It’s wise to have processes and measures in place to be able to do this effectively and easily.
As with anything legal…
Unsure if GDPR applies to your business? Or you’re wanting more comprehensive advice? We recommend to get legal advice on the subject.