I’m here to ping you about GDPR .
That’s the European Union’s General Data Protection Regulation — due to take effect on May 25. If this sounds like just another set of data privacy rules that someone else, not you, has to worry about — don’t be fooled.
This time, things seem different, not least due to the current political/cultural moment’s intensifying focus on how — and how much — personally identifiable information is gathered and used. GDPR has companies worldwide (including in the US) altering their terms of service, rewriting contracts, and scrambling to provide new tools to handle what the GDPR defines as “personal data.”
Why? Although GDPR applies only to EU citizens, the rules regarding consent for data use and the strength of potential penalties — along with the global reach of the internet — may make it less risky (and less costly) to assume GDPR does affect your business than to assume it does not. This is especially true if your enterprise handles personal data .
Here, then, is my list of six ways GDPR can bite you — even if yours is a non-EU enterprise. In this post, I’ll focus on the first two ways:
1 How far GDPR reaches
GDPR protects EU individuals even if their data is generated or processed elsewhere, even if no financial transaction occurs, even if the EU individual didn’t provide the data.
Thus GDPR can impact just about all major corporations, financial institutions, universities, publishers, and certainly the myriad hospitality, travel, software services, and e-commerce ad-tech-retail outfits that track and profile billions of people. GDPR includes no exemptions for small organizations.
How much your business has to worry about this can depend on who your marketing targets. If, say, your English-language webpage is written for US customers, GDPR won’t apply. But if you target EU data subjects — a webpage in the appropriate language, for instance, with references to EU customers and accepting Euro currency — then GDPR applies.
2 Personal and sensitive data must be treated right
GDPR extends what’s considered personally identifiable information to include any data that can be used on its own or in conjunction with other data to identify someone. This means, among other things, the likes of IP addresses, fingerprints, and retina scans.
GDPR distinguishes between “personal data” that’s private (e.g., IP address, street address, name) and “ sensitive data ” (e.g., sex, religion, level of education, union membership) that must be stored differently and cannot be used in making business decisions like granting a mortgage.
Any data you use that’s covered by GDPR must be protected according to GDPR rules. If you’re already adhering to the likes of PCI DSS, ISO 27001, or NIST data security standards, you’re less likely to feel the burden .
In my next post, I’ll look at the four additional ways GDPR can impact your business…