New privacy and data security rules are now in effect for any company that has some of its operations in Europe or has some customers from there. The European Union (EU) passed a law called the General Data Protection Regulation (GDPR) that requires businesses to give EU customers more control over how their personal data is collected, what permissions are required for a company to use it, and what can be done with the information. This law went into effect on May 25, 2018.
Any American company that has customers from the EU needs to be in compliance with the GDPR regulations. It is likely that over the next few years similar regulations will be imposed by the U.S. government on companies in the USA as well.
GDPR is in Response to Data Breaches
The GDPR law is in response to the continuing problem of data breaches being experienced by many companies including large online retailers and companies that are tech giants. Facebook got into serious trouble over the Cambridge Analytica data hack of its system.
Under the GDPR rules, any company that has any data on any person from the EU must notify regulators within 72 hours of the discovery of a major data breach. This means that even U.S.-based companies need to be in compliance if they have an office in the EU, share data with a company there, or have online customers from the EU.
Another new GDPR rule requires companies to make it very easy to opt-in and opt-out of data collection. Companies who fail to do this correctly face a fine of up to 4% of their annual level of global sales or about $23.5 million, whichever is a greater amount.
The new GDPR rules are considered the best practices. Many American companies are taking the proactive stance to be in compliance with GDPR regulations even if they are not required to follow the GDPR rules by law. Work with the experts at Sentree Systems Corp. to find out how to change information collection, storage, and usage procedures to be in compliance with the new GDPR rules.