Does the General Data Protection Regulation (GDPR) Apply to Your Business?

You’ve heard about the European Union’s (EU) General Data Protection Regulation (GDPR), and you probably know that it goes into effect on May 25, 2018, but you might not be sure what GDPR is or, more importantly, whether it applies to your business. To help you determine whether your organization is impacted and what you can do to comply, we answer common GDPR questions below.

What is GDPR?

GDPR is a regulation adopted by the EU that requires businesses to protect both the data and privacy of EU residents. Data that falls under GDPR includes names, home addresses, IP addresses, user ID numbers, and medical information.¹

The regulation introduces new rules, a few of which we’ve outlined below:

• Businesses are required to report data breaches within 72 hours.²
• Requests for consent can no longer be presented through long terms and conditions made unreadable by legalese and instead must be presented clearly, concisely, and distinctly.³
• EU residents have new rights regarding their data, including being able to obtain access to their data, correct inaccurate data, request that their data be erased, object to their data being used for marketing, and restrict the processing of their data.⁴

These changes make it essential for organizations to know what data they have, who has access to it, and where it’s being kept.

Does GDPR apply to businesses in the United States?

GDPR applies to any U.S. business that has an office in an EU country, collects or processes the data of EU residents (even if the business has no physical office in the EU), or offers goods and services to EU residents.⁵

Even for the smallest U.S. companies, any type of presence in Europe (whether physical or online) means they must comply with GDPR or face steep fines.

What are the penalties for not complying?

The steepest penalty for noncompliance is €20 million or 4% of an organization’s annual global revenue (whichever is greater). This applies to serious offenses, such as not getting proper customer consent to process data. For less serious infringements, GDPR may issue a warning, a reprimand, a data processing ban, a monetary fine, or a combination of these penalties.⁶

If your business takes minimal or inadequate steps to comply, you will be in danger of getting hit with the more serious penalty.

How can my company comply?

Once you know your company is impacted by GDPR, the first step you need to take is understanding your data. This means knowing what types of data you have, where and how they’re stored, how they’re protected, and who has access to them. Basically, you will need to perform a detailed audit.

With those results, you can move on to identifying where you are not compliant and what solutions you need to implement to become compliant. Hiring a data privacy officer will ensure your business has an internal leader responsible for GDPR compliance who understands your data, knows what solutions to implement, and can effectively execute them.

Make sure you train your employees on GDPR so they understand what their responsibilities are for protecting data. And once your data protection program is in place, begin testing it to confirm it is robust and comprehensive. You’ll also need to perform regular assessments to ensure you’re prepared to both prevent data breaches and correctly manage a breach if one does occur.

Where can I get the help I need to comply?

If you’re not sure whether GDPR applies to your business or you want to ensure your business is compliant, contact Wipfli. We can assess whether you’re impacted by the regulation, help put a data privacy officer in place, implement a privacy program that complies with GDPR, and perform readiness testing.