The General Data Protection Regulation (GDPR) is the newly implemented legal framework under the European Union which is aimed at strengthening the rights of EU citizens regarding their online privacy and personal data, things like credit card numbers, travel information, religious affiliations, web search results, data from fitness monitors, and IP addresses. The GDPR does not only affect websites and businesses in Europe, U.S. businesses must also comply. Interestingly, for some American companies, it has been easier to block Europeans from accessing their product than comply with GDPR. The Los Angeles Times, Chicago Tribune, New York Daily News, and A&E Television Network, are just a few of the companies telling visitors to their sites that “Unfortunately, our website is currently unavailable in most European countries.”
The criteria that might mean a website or company falls under the GDRP which means they need to make changes to their analytics and tracking to be compliant include the following: if any customers are based in Europe; if your website receives traffic from Europe; if your website or app speaks directly or markets to European citizens; if you’re a retailer and you sell to and accept European currency; or you advertise or market products to Europeans. As websites are generally accessible from anywhere, this new regulation affects many businesses. And penalties for violations? They have been reported to go as high as $25 million or 4% of global revenues.
Firms with over 250 employees have to hire a data protection officer, responsible for making sure the rules are followed. Other smaller companies may also have to hire a data protection officer if they handle personal data. Any breaches must be reported within 72 hours. Unfortunately, and confusingly, it has been reported that there is no clear bullet point list on what to do to make sure your business is compliant. Companies do have to post clear notices to users and get their consent to collect their data as companies can no longer bury the OK in the fine print and legal jargon at the bottom of the page. But much of the legal framework and legislation will need to be interpreted by the courts, which means this could be a long, foggy, and likely bumpy ride.
References:
https://fortune.com/2018/05/25/gdpr-compliance-lawsuits/
https://fortune.com/2018/05/what-is-gdpr-compliance/
https://www.digitaltrends.com/computing/what-is-the-gdpr/