The European Union’s GDPR took effect in May 2018. As the first major update to data protection laws in the EU since 1995, it combines previous data protection directives into a single, comprehensive regulation — one of its main advantages.
But what if your organization is based outside EU borders? Do you need to concern yourself with all that the GDPR covers?
The answer is, almost undoubtedly, yes. The regulation does not apply to European-based organizations only: Any entity that holds or processes personally identifiable information (PII) for even a single individual who is a citizen or resident of the EU must comply with the terms of the GDPR.
What exactly is PII?
PII is any information that can be used to identify a natural person (referred to as a “data subject” in the GDPR). This can be anything ranging from a name, photo, email address, bank details or posts on social networking websites, to medical information, a computer IP address, social security number or physical address.
In short, the regulation is very broad and applies to almost any information gathered about individuals.
It’s important to note, too, that under the GDPR, people now have much more control over their data. And it really is “their” data — individuals can request that you stop collecting it, justify its retention, modify or delete it, or make it available to them in a usable, machine-readable format so that it’s portable and can be provided to others.
That said, your organization now has less control over personal data you collect and retain, and your databases will likely downsize, as a result. Large majorities of people in many European countries (and elsewhere) have indicated they would prefer that their personal data is not collected for any reason, even if it benefits them.
Consider the business implications
Perhaps your company processes personal data about individuals while selling goods or services within EU countries. Or your organization’s website is visited by citizens or residents of the EU and you collect PII about them. In either case, you’ll need to consider how to best manage any data you collect and the business implications for your organization. The GDPR has stringent enforcement mechanisms and carries significant fines for non-compliance.
Indeed, the GDPR increases the legal risk of even accidental data breaches that are not dealt with immediately. Financial penalties for data protection violations step up massively, too, with violations carrying a price tag of up to four percent of your company’s annual global revenue.
In short, compliance with the GDPR may require you to invest some time and money, but ignoring the regulation could be even more costly.
Legal Disclaimer: This document is prepared to give you a general overview of how DFIN interprets the General Data Protection Regulation (GDPR) and is provided for informational purposes only. It is not intended to be or provide you with legal advice. Please consult your legal counsel for legal advice regarding the GDPR and how it applies to you.