The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy for all individuals within the EU’s 28-member countries. When it goes into effect on May 25, 2018, it will require companies that collect personal data on European Union citizens to comprehensively manage and secure that data. It has specific reporting requirements that include conducting data protection impact assessments, mandatory breach reporting, mapping data flows, and, where applicable, appointing a Data Protection Officer (DPO). Its aim is to simplify the regulatory environment for international business by unifying the regulation within the EU, and to protect personally identifiable information of EU citizens in all data, no matter where it resides – even if it is outside the EU.
You don’t have to sell products or services over your website to EU citizens to fall under the provisions of the GDPR – you need only to market to them (which essentially means you have web content that is localized to the EU.) And, if you do, any data you collect from them – not just through financial transactions but any and all personally identifiable information (PII) that they would leave on your website during their visit – will be subject to GDPR data protection requirements. For example, if your organization requires users to provide their email address to receive a white paper, sign up to receive a newsletter, or collects browsing information from them – any data you collect will have to be protected under GDPR rules.
The Crypsis Group specializes in helping enterprises and other organizations prepare for the GDPR. Contact us today for more information. In the meantime, the Forbes Technology Council has an overview of GDPR and how companies are preparing.