The hottest data protection issue for major U.S. businesses this year is compliance with the European Union’s General Data Protection Regulation (GDPR). Even small and medium sized businesses may also need to comply with GDPR. This post covers frequently asked questions about GDPR.
What is GDPR? GDPR is the European Union’s comprehensive data protection law that takes the place of 1995’s Data Protection Directive 95/46/EC. By “data protection,” I am referring to both privacy and security. GDPR collects, clarifies, harmonizes, and expands data protection requirements throughout the European Economic Area (EEA). The European Economic Area consists of the 28 countries of the European Union plus Norway, Iceland, and Liechtenstein.
Why is GDPR such a concern for U.S. businesses? First, the fines for violating GDPR are potentially heavy. EU data protection authorities can fine businesses up to 20 million euros ($23.5 million) or 4 percent of their global revenues for violations, whichever is greater. Fines, moreover, will likely be based on the revenue of the global parent and any subsidiaries involved with the violations. Second, U.S. businesses find GDPR to be complex and unfamiliar. Questions arise concerning jurisdictional scope, defining the kinds of personal data covered, obtaining consents from individuals, maintaining an audit trail of consents, managing cross-border data flows, and handling new forms of individual rights given to EEA residents.