Beginning May 2018, what is being dubbed as the “greatest change to European data security in 20 years” will be enacted. The General Data Protection Regulation (GDPR) is a game-changer for businesses based in the European Union and all around the globe. While most EU-based companies should have already been well on their way to compliance with the European GDPR, many businesses across the United States are only just beginning to understand what it might mean to their current business model. Even if you do not have a direct business operation in one of the countries included in the European Union, this new regulation could directly impact your Boston-based business.
Do You Have a Web Presence?
While most companies today have at least a basic web presence, they still might not be directly marketing to consumers in the EU. However, that does not mean that those customers aren’t finding out about your business from across the pond. One of the most important changes in the law for European Union consumers is a portion that relates to the geographic location of the EU citizen at the moment data is collected. When information is obtained from an EU citizen who is located in the EU, then the laws would apply; but if that same EU citizen is physically located outside the EU at the moment of data collection, the new regulations will not apply.
One example of this would be a citizen of the European Union on holiday in the United States. If their data and behavioral information were collected via your Boston-based website, you would not be subject to the requirements of the GDPR. However, if that same EU citizen were at home in France, Germany, or any one of the 28 states involved in the European Union, then those requirements would apply. It is important to note that no financial transaction needs to take place for this law to be applicable. Just the mere collection of “personal data” through a marketing survey would fall within the scope of the new General Data Protection Regulation.
Web Pages Written for US-Based Consumers
However, it is important to note, that there are some complications to the geographical scope of the European GDPR and the way that it applies to your requirements for Boston data protection. If your company does not have a physical presence in an EU country and your website does not target a data subject in an EU country, the General Data Protection Regulation should not apply.
One example of this would be a French citizen who finds your website through Google that is clearly written for US-based consumers or B2B customers. The challenge would come if that same US-based website featured marketing that was written in the language of the EU-country and included references to EU users and customers. Then it would be considered “targeted marketing” and all of the rules of the GDPR would apply. Other “red flags” would include accepting the currency of that country as payment of having a domain suffix for that particular country.
What You Need to Do
For proper Boston data protection to comply with the new European GDPR, IT solutions for business must be employed for US-based companies that fall under the scope of the law. The General Data Protection Regulation requires businesses and websites to protect the personal data of the individuals who are located within the EU even if your business is not EU-based. While it is still not certain how the European Union will enforce these laws against American companies, it is important to do everything you can to become compliant to protect your business.
Significant fines were introduced to ensure that everyone becomes compliant with the new regulations. Companies that fail to report a breach to a regulator and all affected individuals within 72-hours of the breach are subject to “first tier” fines, which include 2 percent of that company’s global revenue. Increased penalties can include as much as 4 percent of a company’s annual global turnover or €20 Million, whichever is greater, depending on the infringement. One of the most important things to note concerning these fines and regulations is that these rules apply to both controllers and processors, which includes “clouds” in the realm of European GDPR enforcement.
Other relevant facts to note about Boston data protection for the GDPR include:
- EU-based individuals must opt-in using an explicit action if you are going to process personal data
- the opt-in language that is used in the statement must be very straight-forward and easy to understand
- the data that is collected cannot be used for any other purposes than what is described in the statement
- examples of personal data include – personal information, digital identifiers, financial information, location data, medical records, legal records, and government records
Contact Synivate for IT Solutions for Business
If you have concerns about the European GDPR and how it might impact your Boston-based business, give us a call. We can help you to employ increased security measures, encrypt data and devices, and assist in implementing methods that provide you with a means to document all of your efforts, should it ever come into question in the future. Synivate specializes in providing our clients with increased data security, remote monitoring management, backup solutions, web protection, antivirus protection, and much more. Give us a call at 617-517-0704 to get a free estimate on our services or to learn more about our IT solutions for business in the Greater Boston area.