GDPR: Why You Can’t Afford To Ignore It (Even if your small business isn’t in the EU)

June 25, 2018 / Roberta Hill  / 

What does a European Union law about privacy have to do with your small business?

That might seem like a ridiculous question to ask, but it’s not.

The General Data Protection Regulation, or GDPR for short, went into effect on month ago today on May 25, 2018. And with privacy issues in the news on a near-daily basis, with the recent Congressional hearings about Facebook and Cambridge Analytica, you can’t afford to ignore the ramifications of GDPR for your business.

You could keep your head buried in the sand – but that’s not a good idea. Here’s what you need to know about GDPR.

GDPR is a law that was designed to standardize data privacy in the European Union’s member countries. It represents a big chance – and a victory for EU citizens, who can now be confident that their data will be secure and that the regulations used to ensure its security are transparent.

On the flip side, EU-based businesses have had to scramble to be compliant with the new rules. The biggest requirement involves Personal Identification Information, or PII. PII is sometimes used as a general term in the United States to describe personal information that companies might collect and store on behalf of their customers.

While PII has traditionally included information like Social Security numbers and addresses, the GDPR expands the definition of PII to include other things. For example:

  • Web data, including the user’s location, IP address, cookies, and RFID tags
  • Medical and genetic data, including medical records, test results, and DNA
  • Biometric data, including fingerprints and other unique identifiers
  • Racial and ethnic data
  • Political opinions and orientation
  • Sexual orientation

In other words, companies in the EU must now protect their customers’ IP addresses and other information collected online with the same care that they would financial information. It further requires that organizations:

  • Store and process personal data only with an individual’s explicit consent
  • Hold data for only as long as it is necessary to do so
  • Destroy stored data upon request

There’s no denying that the implementation of GDPR represents a big change for EU companies.

(more…)