Europe’s GDPR Data-Protection Law will Likely Affect You in the U.S. and Everywhere

Thinking GDPR (Europe’s new General Data Protection Regulation) won’t affect you because your company is based in the U.S.? Or because your website is hosted on American soil?

Well, you’re in for a surprise later this month.

The new law goes into effect May 25, roughly two years after the European Union’s Parliament approved it.

GDPR makes you liable for penalties if you collect data on citizens of the European Union. Your location outside of Europe matters not.

Shown are three Lego figurines to illustrate that you are subject to penalties if you fail to comply with GDPR. In this image, the figurine in the middle is a mustachioed businessman seated in front of a computer atop a desk. He looks terrified. Flanking him are Lego figurines made up to look like armed members of a SWAT team. They wear black uniforms and helmets with night-vision goggles attached. One holds an assault rifle, while the other holds a pistol with a silencer attached.
The penalties for GDPR non-compliance may terrify you. While the SWAT team won’t come looking for you, European courts will be able to fine you to the tune of $25 million or 4 percent of your revenues, whichever you’ll find most painful.

So it behooves you to know what this new law entails if you hope to comply with it. In a nutshell, GDPR obliges you to make some security-oriented changes to your website and to your Internet practices.

As for what you need to do to your website, we at Valet will spell it out for you in an upcoming article. Stay tuned.

As for what you need to do differently with your Internet practices, please keep reading.


GDPR Reflects a New Reality

First, though, a bit of explanation about GDPR itself.

The new law basically takes the essence of the EU’s 1995 Data Protection Directive and injects it with a mega-dose of steroids. GDPR completely replaces the old law, which for a long time people recognized as the gold-standard for Internet data protection and privacy.

A lot happened in the world of cybersecurity since the authoring of the Data Protection Directive. GDPR reflects the issues and concerns of the modern Internet era—an era in which data breaches and privacy abuses occur on a  seemingly daily basis and with the greatest of ease.

GDPR requires anyone who collects personal data on EU citizens take serious steps to ensure that all such info remains locked up tighter than a drum. Here’s just some of what must be safeguarded if an individual’s name or other personal identifier is attached to it:

  • Age
  • Physical mailing address
  • Email address
  • Phone numbers
  • Web IP address
  • Cookie data
  • Health records
  • Race, ethnicity, sexual orientation
  • Political views and opinions

GDPR also demands you pinpoint the source of info you collect. As well, you must keep good records of the names and affiliations of individuals or businesses you let see those pieces of harvested data.


No Time-Limit for Data Retention

GDPR mentions no time limit for how long you must preserve these records. As such, many experts recommend you plan on keeping them indefinitely.

There’s also no surefire, ironclad way to prove that you’re not fooling around when it comes to protecting data.

Problematic too: GDPR limits your use of collected data to just the purpose you declare. You break the law if, for example, you post an invitation to receive a whitepaper in exchange for an email address, but then in addition to the whitepaper you send marketing-oriented emails (unless you clearly warned of that in the original invitation).

GDPR bars you from collecting data not legitimately needed. Example: a site visitor wants access to your cool videos about the mating habits of aardvarks in captivity. No problem if you ask this person in the course of creating a user account to disclose his or her age and favorite zoo. Major problem if you also ask for his or her political affiliation and homeownership status.


GDPR Provides a Right to be Forgotten

GDPR gives EU citizens from whom you collect data the right to demand you remove old or wrong info.

Of course, for them to know such a thing you first must let them see the collected data. Well, guess what? GDPR says you must allow them to look—and to do so easily.

Before you even start collecting data you must unambiguously ask people for their informed, affirmative, equally unambiguous consent. No more automatically harvesting personal data with an opt-out option as the only way to stop it. Under GDPR, the EU citizen must opt in if you want to be able to collect anything at all.

Oh, and get this. It’s illegal to present to your visitors any check-off boxes that you’ve already checked for them as a convenience. They on their own must check the boxes. In other words, all boxes must be presented unchecked.


Take GDPR Seriously

It’s a bad idea to not take GDPR seriously. Pegasystems—a Cambridge, Massachusetts, cloud software company—warns that you risk fines of up to 4 percent of your annual revenue or roughly $25 million, whichever hurts you more, if you blow-off GDPR.

Don’t think the EU authorities won’t catch you. Pegasystems polled 7,000 EU consumers and found that 82 percent of them plan to exercise the rights GDPR grants them to haul you before the World Court or some other EU tribunal in the event you break the law.

That’s a lot of people carrying the legal equivalent of pitchforks and torches. It’s going to be hard to escape their dragnet. You’re not alone. A survey by PricewaterhouseCoopers finds 92 percent of U.S. businesses currently worrying about GDPR’s impact on them.

We strongly recommend you become as familiar as possible with the provisions of GDPR. What we’ve shared with you here merely scratches the surface.


Drop us a line at Valet. And stay tuned to our blog and social channels for links to more resources on GDPR.

Newsletter Signup

Laptop on desk

Ready to get started?

Tell us your story.

Let's Talk