On May 25th, 2018 a new set of data regulations were adopted in the EU, primarily with the purpose of giving EU residents better control over their personal information. The General Data Protection Regulation (GDPR) also addresses the exporting of information outside of the EU. For businesses in the United States, these regulations will have an impact, and there are certain measures and processes, which will need to be addressed, especially for those in the marketing and communication sectors.
Although this is not yet a law in the US, it is now an EU regulation. Because of this, it does not require the US Government to pass any type of legislation for it to become binding or applicable. If your company processes data for any citizen or business within the EU, even if you don't have an office there, you need to become compliant.
If you don't, there are strict penalties, and although they would not be instantly enforceable, they could be anything up to 4 percent of your company's global turnover or 20 million euros, whichever is the greater number.
This new regulation applies to your company if:
So, if your company ships products to the EU or you handle personal information for any individual who is located in the EU, whether they are a US citizen or not, then you must comply.
If you process or control information, then you are obliged to carry out new processes within your business. It is important to be aware of the new compliance issues. To assist you, we have outlined a few practical examples of the actions you can take to meet these obligations:
If you work in a marketing or communications business in the U.S., and your company undertakes systematic or regular monitoring on a large-scale, you must appoint a dedicated Data Protection Officer who is available for any GDPR requests that could be made.
If you need to transfer data to a third-party -- this doesn't just refer to selling that information, it could be something as simple as giving information to a marketing company you work with or even an accountant; then you must ensure that third-party is also GDPR compliant. If they are not or they breach GDPR, you could be held accountable for the breach.
You need to request consent for the explicit use of personal information. In doing this, you need to provide people with a form that is easy to access and make it easy for people to 'opt-out' and be able to remove their consent. Separate requests are needed for each collection, and you also need to send a "just in time" notification before any information is processed or collected.
This is one of the most significant changes that mean many businesses in the US and worldwide need to change their communications systems and related data collection processes.
Another important note is that if someone requests for you to remove their information, unless you have a genuine requirement for that data, you need to comply with their request promptly.
For more information on GDPR, you can visit the UK's ICO GDPR website.
As a final note, you need to make sure that any suppliers or third parties you work with are GDPR compliant as per your obligations.
Why Invest in Market Research