On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect in the European Union. Although these protections are designed to protect the personal data for individuals located in the EU, U.S. businesses are going to be affected by these GDPR compliance, too. Simply put, if you collect, process, or store the personal information of anyone located in the EU, not following these regulations will prove costly to your business.
Most corporations that collect large amounts of data and do business in Europe are already aware of the regulations, and are taking steps to comply with them, but possibly not as comprehensive as they should be. Many smaller corporations, that only do a limited amount of business with European customers, may not be as aware of the new requirements and the strict protections that are being put into place for personal data. Even if you only have a few contracts with EU customers, the GDPR will apply to you, so you need to understand your responsibilities when it comes to data protection.
Under the terms of the GDPR, the new rules apply to any business involved in the processing of “personal data,” which is defined as “Any data relating to an identified or identifiable natural person.” This is a deliberately broad definition, and even encompasses information that may not directly identify an individual, but that can lead to his or her identification, such as an IP address. In terms of your business, you are bound under the GDPR rules if:
In other words, basically if you do business with people in the EU, regardless of where you are located, you have to follow the rules.
So, what are the rules you need to follow? The GDPR outlines several new data protection rules, including stricter rules regarding consent for data to be collected and used. Individuals also have the “right to be forgotten,” meaning that if they request for their data to be deleted, companies must comply.
Although these rules are important, there are some aspects of the GDPR that are more likely to be of concern to U.S.-based businesses. Among them:
These are the rules that are most likely to affect U.S.-based businesses. Experts predict that the businesses most likely to be impacted by the GDPR are those in the travel, hospitality, e-commerce, and software industries. Even if you aren’t in those industries, though, and you have contracts with EU-based customers, you need to prepare now.
Time is running out for businesses to get ready for the GDPR. Before May, you need to determine what personal information you have that’s covered under the GDPR, and take steps to protect it. This includes analyzing your contracts, and not only identifying any information that needs to be protected, but also those contracts that are out of compliance and need to be amended. You also need to develop a system for maintaining insight into all your contracts and your risk, so you can make smarter decisions and avoid costly errors. The best way to do this is via a contract management platform like Exari, which includes powerful tools to quickly provide insight into your existing contracts and a streamlined process for revising and storing contracts.