It’s May 25th and that means the world’s most sweeping privacy law, known as the GDPR, is now in effect. The law includes nasty fines—such as 4% of a company’s revenue—for serious violations, and applies well beyond the borders of the European Union.
The GDPR is also staggeringly complex and could ensnare some U.S. companies in foreign regulatory hell. Many are unprepared. To help make sense of it, here’s a plain English guide on how it affects U.S. firms as well as some links to further reading.
What exactly is the GDPR and why do I keep hearing about it?
The GDPR, aka the General Data Protection Regulation, is a EU-wide data protection law that supersedes various national privacy laws. The EU enacted the law in 2016 but delayed enforcement until May 25, 2018.
You keep hearing about the GDPR because it’s important, but also because it’s become a business in its own right, providing work for an army of consultants, lawyers and public relations firms.
What does the GDPR have to do with U.S. companies?
The GDPR applies in Europe, of course, but it also affects foreign companies that do business there. U.S. firms that have employees or customers in Europe—anyone from the likes of Facebook to small app developers—are affected by the GDPR.
Part of this is strategic. As the Financial Times explains, this is the so-called Brussels Effect in action: “the EU tends to write rules for itself and let the gravity of its huge market pull other economies into its regulatory orbit. Businesses faced with multiple regulatory regimes will tend to work to the highest standard, known widely as the “Brussels effect.”
Okay, what are the specific rules a company must follow?
The short answer is keep a tight lid on customer data. The longer answer is a firm must comply with a complex series of rules that include:
- Allow customers to see and delete the data that concerns them
- Provide notice of data breaches in 72 hours
- Make data policies transparent to an average person (ie don’t hide privacy stuff in legalese no one reads)
- Hire a Chief Data Office in some cases
- Follow “privacy by design” principles
Note that the rules are different depending on the data in question. According to Courtney Bowman of the law firm Proskauer in Los Angeles, companies that touch “special categories” of sensitive data—medical records, children’s data and so on—should be especially careful.
It’s also important to note that using customer data requires consent in many cases—but not all of them. There are other GDPR-compliant ways to use customer data, especially when it’s necessary to conduct business (you’re going to want to ask a lawyer if you qualify).
What happens if a U.S. company doesn’t follow the rules?
Good question. While the maximum fine is mind-boggling—the higher of 4% worldwide revenue or 20 million euros—the European regulators are unlikely to start imposing such penalties right away. Part of the problem is that the rules are so complicated that companies may find it hard to know for sure if they comply. Meanwhile, the early signs are that most firms and even the regulators themselves are still not ready for GDPR’s arrival.
The consensus is that EU regulators are likely to go slow at first, and focus on the most egregious offenders rather than fine every company they can.
So what can a U.S. company do to avoid headaches?
Bowman, the Proskauer lawyer, says the first step is simply to become aware of what data the company controls and where it’s stored . She says this isn’t just a job for the general counsel, but may require a cross-company effort with members of the IT team, human resources and so on.
Bowman also says that regulators, if they come knocking, are likely to recognize good faith attempts to comply, so it won’t hurt to keep records of the company’s efforts. The bottom line, though, is there is no short cut to get GDPR out of your life.
“People ask how to comply in 5 minutes. GDPR is more than a day or two and checking a box. Unfortunately, it will require time and effort and money, and strategic risk assessment. It can potentially be quite expensive.”
I can’t get enough of this stuff. Where can I learn more?
There’s no shortage of reading material about the GDPR, but here are some materials I found helpful in researching this story:
“GDPR Takes Effect – What to Expect” (Wall Street Journal): a quick run-down of the broad strokes.
“No one’s ready for GDPR” (The Verge): a pragmatic look at the on-the-ground reality in which neither companies or governments are up to speed.
“An Overview of the New GDPR” (Proskauer law firm): a handy table of the major provisions and what they do.
“Data Privacy Law Creates New Business for Tech Industry” (Wall Street Journal): a look at the cottage industry of compliance that’s sprung up around GDPR.
“Does the GDPR Apply to All EU Citizens’ Data?” (Bryan Cave law firm): a legal rundown of just who this law covers.