Are you ready for the European Union’s General Data Protection (GDPR) regulations? They go into effect on May 25, 2018, and they apply to businesses of all sizes, all over the world — including those in the United States.
Like HIPAA, Sarbanes Oxley, and PCI, Europe’s forthcoming compliance framework is extremely complex. GDPR requires high-level information security and multiple full-time IT specialists to handle it. The entire process can be outsourced to a technology support provider like Spectrumwise, but that’s not what this article is about.
We’ve been in business for over 17 years and we haven’t come that far by selling services our customers don’t need. So before we try to convince you we’re the best GDPR data processor in the Charlotte, NC area, let’s find out whether you need to be compliant at all.
What does GDPR cover?
At its most basic, GDPR is about allowing citizens and temporary residents to decide how their personal information is collected, stored, processed, and destroyed. And it doesn’t matter where you do business — if you work with any of the following identifiers for European residents, you need to be GDPR compliant:
- Names, addresses, and phone/ID numbers
- Web trackers (“cookies” and other tools that record who visits your site)
- Health and genetic data
- Biometric data
- Race or ethnicity data
- Social media posts
You may not think this information would ever wind up on the hard drive of a small business in North Carolina, but there are plenty of likely scenarios.
A hobby shop that ships to the EU
It’s impossible to deliver your product to someone without their name or address. And even if you run a small-scale eCommerce site, you could be in for a big shock when GDPR goes into effect. Collecting personal information without becoming compliant could result in a fine equal to either 2% of your global annual turnover or 10 million Euros, depending on which is greater.
A bed and breakfast that sends out email newsletters
Sales aren’t the only thing you need to worry about. Let’s say a tourist from Italy comes to your bed and breakfast, stays for a week, and volunteers his or her email address during the checkout process. That doesn’t require compliance.
If, however, you were to send out an email newsletter for marketing purposes after the tourist returned home, you could be stepping into a GDPR mess. Email-tracking software — such as the Microsoft Connections app we install and configure for clients — allows you to see when an email is opened, if it was forwarded or deleted, and so on. And in the eyes of EU regulators, this is a form of data monitoring requiring compliance.
A florist who pays a freelancer for web design
Enough about EU customers, what about people on your payroll? It could be something as simple as putting up an ad on Craigslist for help with your website. If you outsource the work to someone in a European country, there’s no way around storing regulated information for tax purposes, which means your $500 website could result in a GDPR fine that puts you out of business.
An accountant who serves a US company with EU information
Third-party vendors are required to be compliant when they provide services to any company that stores data on EU residents. So if you were to help any of the businesses in our previous examples prepare their taxes, you too would be required to meet GDPR security standards.
A whole new ballgame
Although there’s a significant amount of overlap between various US data regulations, GDPR introduces some big changes to privacy requirements. Small businesses should not assume that because they are HIPAA compliant they don’t need to worry about EU data policies. In addition to IT security minimums, every form, email, or other data-collection device needs to come with “opt-in” checkboxes and a legally binding agreement that explains how the data will be used.
Have Spectrumwise network security solutions discuss your compliance management, and preparing for GDPR if you’re still unsure whether your company needs to adhere to this new framework. Give us a call today.