People conducting business globally are more aware than anyone that the world is much smaller than it used to be.
Economic developments on the other side of the world can impact not just the massive multi-nationals, but small startups making a go of it in a global economy.
Still, when it comes to an announcement about something like a new regulation coming out of the European Union, there's a natural inclination to treat it like any other news about international economic developments – maybe worth thinking about at some point, but pretty far away from your day-to-day concerns.
But the EU's General Data Protection Regulation (GDPR) isn't a mere bureaucratic blip that'll blink in and out of the news cycle and be forgotten. It establishes a whole new slate of responsibilities for how businesses deal with data to protect the privacy of users. And it's incorrect to think that you need an office on European soil to have to follow GDPR’s rules – or to be subject to its penalties.
All companies that have customers or employees in Europe are subject to GDPR. And all EU citizens are protected under the law, regardless of location.
So no matter how minimal you might think of your EU footprint as being, every U.S. company should get well acquainted with the demands of GDPR and be thinking of how to reach full compliance by May 25, 2018, when the deadline for enforcement goes into effect.
Here are a few reasons why you should be planning ahead and taking GDPR seriously.
The EU has made sure that the fine is potentially debilitating enough to be taken seriously – violations can cost up to €20 million euro ($23 million) or 4 percent of your global revenue. So in this instance, getting your data operations up to snuff is the only reasonable approach.
One of the big distinctions between how privacy is treated in the U.S. and how it is treated in EU countries is that in the EU, individuals have a right to request that personal data about them be expunged from the internet under some circumstances.
For U.S.-based companies, facilitating this right will be necessary when GDPR is implemented – and it can be a sticky wicket. Problems can arise, for instance, if an EU citizen makes a request to have personal information expunged and you have – in addition to a live copy of it on an internal database – a copy of it on a backup server. In such a case, you might find that your backup solution doesn't allow you to delete individual backed-up records one-by-one.
Thus you'll find yourself prevented from complying with the request because of your own technological limitations. But that, of course, won't make it any less necessary for you to comply. And you'll also be asked to verify that the data has been treated appropriately, which could add additional challenges depending on how your backup solution is built out.
In such a case, the kind of contortions you'd have to go through to get that piece of data removed (and prove that it's been done correctly) could be costly at best.
So it's critical that your infrastructure is set up to facilitate managing such requests from the outset – and if you don't know if you're set up to do that, now is the time to find out.
If you've already breathed a sigh of relief and decided that you're all clear because you don't have a European office, and don't collect a great deal of data EU citizens, you might want to dig deeper. Many less obvious things fall under the umbrella of "personal data" as the EU defines it.
Phone numbers and addresses that you may have purchased for marketing purposes, contracts with third parties and even information that you've come across in the midst of a transaction can fall under GDPR regulations.
And given that EU citizens are all protected no matter where they are, if you've got clients or customers, or even job applicants, who are physically located in the U.S. but have EU citizenship, you could find yourself unknowingly on the wrong end of a GDPR request, and be unable to comply if you have no mechanism for handling the data the right way.
The clock is ticking on GDPR compliance. Given the stiffness of the potential penalties, the broad applicability of the regulation no matter where an EU citizen resides and the relative difficulty of figuring out how you might be affected, there's no time to waste.
And it's also critical to keep in mind that if any of your business-critical operations are managed by third-party vendors that store customer or partner data on infrastructure external to your operation, they too need to be compliant with these regulations.