Your business, we’ll call it Privacy Co., operates out of Kingston, you sell product almost exclusively to the United States and now a European Union (EU) privacy regulation is affecting the way you handle customer data? What gives?

On May 25ththe General Data Protection Regulation(GDPR) came into effect after years of consultation and preparation. The goal of the regulation was to provide citizens of the EU and the wider European Economic Area with the means to better control their personal data. Furthermore, the regulation simplifies what had become an overly complex regulatory framework for international businesses. Finally, and most significantly, this regulation has teeth. Companies that fall within the scope of the GDPR and breach its terms can be fined up to the greater of 4% of their annual global turnover or €20 Million. So, now that you understand why you received 100 “We have updated our Privacy Policy” emails in past couple of weeks, let’s dive in a little deeper and explore what it means to be GDPR compliant.

So, Privacy Co. operates in Kingston and predominantly sells to the United States so the GDPR probably does not mean much to them, right? Well, last summer, the company attended trade shows all across Europe and amassed quite the email list. On top of this, the marketing team has decided to run targeted online ads in the countries that hosted them. Despite the fact that Privacy Co. has not actually made a sale to a European customer, the GDPR makes a valid assumption that since the Company is collecting personal data, the company also likely intends to sell to EU residents in the future. As such, the GDPR applies to Privacy Co., since it is “processing” data that belongs to EU residents. Processing has been given a broad definition and can include anything from storing personally identifiable data to using it for better informed forecasting models.

If you even slightly suspect that your company may be processing personally identifiable information from EU residents you will want to make sure you do the following, as soon as possible:

  1. Conduct an internal audit to ascertain what type of personal data you are collecting, what are you using the data for and where is the data coming from;
  2. Establish policies that govern how personal data is collected and used;
  3. Set up appropriate counter-measures and security checks to ensure that personal data is secure, (encryption and adequate technological safeguards are an essential part of the GDPR);
  4. Make data readily available to those entitled to view it, and continuously audit your efforts.

The potentially severe penalties embedded within this new regime, make the GDPR something that absolutely cannot be ignored. With all of the recently publicized data breaches, it is clear that companies which have historically taken a cavalier approach to how they deal with personal consumer data will now be held to a much higher standard of data control. There is no question that personal consumer data is a valuable asset, but in that regard, it would appear as though the European Parliament is attempting to remind companies that consumer trust is equally as valuable. So long as personal data continues to fetch a dollar, I have no doubt that some international businesses may choose to run multiple privacy regimes depending on the jurisdiction. On the other hand, we may see a widespread commitment to safeguarding personal consumer data worldwide, as a number of companies appear to have chosen to simply adopt the standard set by the GDPR as their single global privacy policy. If you are a company, you absolutely must audit your data collection and retention practices. If you are a consumer, the next time you receive an email with “Privacy Update” in the subject line, take 10 minutes to really understand how the companies you interact with are actually using your personal information. You might be surprised.