What Non-EU Companies need to know about GDPR
I am no lawyer, but you probably already assumed this (I hope I hope I hope ... ). So, whatever you read here is informed by my own third party readings. However, you should definitely begin a dialogue with your legal team to determine if you are directly in this legislation's line of sight. By the end of this short post, you should be able to determine if you are in it's crosshair! Duck!
If you are first hearing about GDPR and your organization does most of its business primarily online and for the EU market then its probably a little late in the game (with the May 25 2018 deadline fast approaching) and you (and your organization) should start panicking NOW. That aside, if you want a very good synopsis on what it is and how it's different from what is currently occurring in the area of user profile data management please do have peek at our very own Tony Field's pontification on the subject here (and then come back obviously!).
A Plain Observation
Data privacy laws tend to be more lax in the U.S. than they were and now are in the EU. Based on simple glance at Net Neutrality legislation that passed last year in the U.S., the U.S. seems to be more concerned with monetizing personal data (and using it for homeland security) while EU governments are more focused on its protection. In Europe, individuals must consent or opt-in to share their information, while they must opt-out in the States. It's exactly the polar opposite and now with the new GDPR set to take effect, the EU rules are even more in favor of its citizens' data privacy. However, this isn't the time to let your guard down!
How will GDPR Come into play for my non-EU based Company?
The wording in the legislation boils down to basically two cases, determining whether a company outside the EU can come into the guise of the GDPR legislation.
1. Your company directly targets "data subjects" (not necessarily citizens) in the EU. This means you collect personal identifiable information (PII) or behavioral information from someone located in an EU country.
Data points in this collection process include:
- Social Security Numbers
- Mailing or email address
- Phone numbers
- IP addresses
- Login IDs
- Social Media Posts
- Digital images
- Geo-location Information
- Biometric Data and behavioral data
The thing to note here is that the 'data subject' doesn't actually have to engage in a financial transaction for all this apply.
2. Your company processes personal data on behalf of an EU company as a sub-contractor.
For example, if your company has a mailing address and bank account in the EU as part of providing services to an organization in the EU then you are subject to GDPR.
How is the Severity for Non-Compliance Assessed and What are the Penalties?
The penalties for non-compliance are harsh and unforgiving. Companies that have already implemented data security standards like PCI DSS, ISO 27001, NIST should already be in good shape with respect to GDPR, and hopefully never have to worry about the fall out from noncompliance. GDPR penalties vary based on severity of the violation(s).
The severity of non-compliance is assessed on a whole host of factors including the nature of the infringement, intention, mitigation actions taken, preventative measures, the history of violations, cooperation after a breach, data type, and whether proactive notification was provided or not.
The penalties for lower level infringements are up to €10 million, or 2% of the worldwide annual revenue of the prior financial year (whichever is higher) and €20 million, or 4% of the worldwide annual revenue of the prior financial year (whichever is higher for the higher level infringement scenarios). Neither of these are good for business!
Hopefully this gave you a little bit of insight into how GDPR will affect non-EU organziations like yours.
Until next time,