The General Data Protection Regulation (GDPR) came into effect in Europe on May 25, 2018. For companies that may have clients in Europe, the GDPR provides guidelines for how companies must take care of client data. The regulations cover how firms must deal with clients regarding their data and how data must be safeguarded, and provides strict guidelines for breach notification. While the regulations were intended as a check on companies like Google and Facebook, the regulations will have far reaching effects on every company doing business in Europe regardless of size.
As a US-based company, should you be concerned? If you don’t have any clients in Europe and aren’t gathering data on European citizens, you have nothing to worry about. If your company has European clients and may house data for European citizens, then you need to pay attention to the guidelines in GDPR. While most of the focus is on allowing citizens to gain more control over data held by internet firms, the GDPR also provides a legal framework for European citizens to sue nearly any company for suspected misuse or loss of personal data. Also, GDPR establishes an enforcement framework with “Supervisory Authorities” tasked with enforcement and follow up on citizen complaints. What makes this framework interesting is that each country has its own “Supervisory Authority” with the power to review cases and issue ill-defined fines. The only guidance in the regulations regarding fines says that the fine may not exceed 20,000,000 euros or 4% of combined entity revenue, whichever is larger. While the regulations do provide guidance for the calculations of fines based on the relative size and severity of the GDPR infraction, there is no set fine schedule. With the vague guidelines and large potential payouts to attorneys and governments, it is only a matter of time before we begin to see the implementation of GDPR take on a life of its own.
Expect the US to adopt some form of GDPR in the not too distant future. US regulators and legislators will be watching the effect of GDPR on business and citizen data protection. Expect entities in the US to act on behalf of citizens to enact US data protection policies around the lessons learned through GDPR.