Becoming digital is the surest way for you to understand your customers' needs and meet their expectations. Learn how Perficient can help anticipate what's ahead for you and your customer with a digital strategy centered around empathy, alignment, and agility.
I’ll cut to the chase: GDPR stands for the European Union’s General Data Protection Regulation, and if your company is not in compliance by May of next year (2018), you could incur millions of dollars’ worth of fines.
As this deadline approaches, I’ve been surprised by how little concern or even awareness of the GDPR I’ve seen. A recent survey by Spiceworks drove this point home. When IT departments were asked how much budget they had allocated to ensure compliance with the GDPR, 57% responded that they didn’t know or that they hadn’t allocated any budget. When that data is broken down by region, nearly 70% of the North American respondents indicated that they didn’t know or that they hadn’t allocated budget.
But GDPR compliance is not just “a European thing”; if you are a North American company that collects international customer data, you most likely need to be in compliance.
The GDPR was adopted in 2016, and will become effective on May 25, 2018, replacing the 1995 European Union (EU) Data Directive. Under the new legislation, companies will have to actively gain consent from each customer to store their PII (Personally Identifiable Information), and they must be able to provide evidence that this consent has been given. In addition, companies must report any customer data breach within 72 hours of occurrence and offer customers the ability to request that all their records be deleted. The legislation makes it explicitly clear that these rules don’t just apply to European companies or to US companies with a physical presence in the EU, but to any business processing the data of EU citizens. This is distinctly different from the old 1995 EU Data Directive.
Another thing to be aware of – while in the US we generally don’t consider IP addresses to be personally identifying information, in the EU they do. So any US business that collects even just the IP address of any EU resident falls under the legislation.
And the fines are nothing to sneeze at: A fine of up to €10 million or 2% of annual worldwide turnover, whichever is the higher, will apply to less serious breaches, and a fine of up to €20 million or 4% of annual worldwide turnover, whichever is higher, may be imposed for more serious breaches. That’s approximately $12 million in fines on the low end, and $23 million on the high – enough to sit up and take notice!
You can learn more about the GDPR here.