The General Data Protection Regulation (GDPR), recently passed by the European Commission, aims to give European citizens more control over their personal data. Understanding the answer to the question “what is GDPR?” is critical, because it may affect Americans as well.
Note: this is not a detailed guide on how to comply with GDPR standards. It is informational and is meant to give you an idea of whether or not it’s necessary for your organization to comply.
What is GDPR?
The previous set of European data guidelines was established in 1995. Obviously, data and technology have changed a lot over the course of the last 20+ years.
So, what is GDPR, then? To put it simply, GDPR is a new set of rules meant to simplify and bring regulations up to speed so citizens and businesses can mutually benefit from the internet economy.
GPDR mandates that affected organizations must:
- Gather personal data legally
- Protect personal data from misuse
- Respect the rights of data owners
Some affected organizations must also appoint a data protection officer with knowledge of cyber security laws and practices to ensure compliance at all times. This is similar to 23 NYCRR Part 500, the cyber security law New York State-based banking, insurance and financial firms must obey.
3 Ways GDPR Affects America
Got European Customers? Prepare to Comply
If your company has customers or potential customers in Europe, GDPR compliance is mandatory. This includes demographic data and behavioral information. Even if your headquarters are located in the United States, you must comply.
Not Safe from Fines
GDPR uses a tiered approach to penalizing noncompliant organizations depending on the severity and frequency of their offenses. The maximum charge is up 4 percent of total annual revenue (up to 20 million euros or approximately $26.7 million).
And no, American companies are not safe from this.
Possible Precedent for America
The United States has already enacted federal data protection laws for health care (see HIPAA), but there are no overarching regulations that bind all commerce in the country. While regulations alone will certainly not prevent data breaches entirely, they may force companies to take cyber security more seriously.
For example, the notorious Equifax hack, which exposed the data of a staggering 143 million people, was entirely preventable. The hackers who breached Uber to access 57 million people’s personal information could probably have also been prevented. The list goes on.
Some have already argued articulately for the adoption of GDPR-like laws by America. And, given the way technology is continuing to shape our lives, it’s not unreasonable to think the United States may implement its own federal data protection laws in the future.
This is just a brief answer to the complex question “what is GDPR?” If you have further questions about what it means for you and your business, be sure to contact a local cyber security expert.