Why GDPR Applies to You, and You Don’t Know It - Part 1

Global Data Privacy Regulation (GDPR) is a European law that goes into effect in May and regulates personal data collection. It aims to give people control of what information a company might know about you and how that information is used.

It is easy for most of us to stop reading once we see the word “Europe”. Don’t be too quick to brush it off. The law applies to any company with a E.U. presence, selling into the E.U., or in possession of (or monitoring the behavior of) E.U. residents.  To see if the law applies to you, ask yourself these questions:

  1. Does my company have anyone working in the E.U.?

    • This includes the UK, for the time being. In fact, the UK and Germany have added their own addendum which adds additional conditions and complexity.

  2. Does my company have an employee from E.U. working outside the EU?

    • As long as our European or British friend maintains residence or citizenship in any way, the rules apply.

  3. Are we selling to people in the E.U.?

    • Do you have a website? Most of the life science companies have the intent to sell globally. We know all the regulations and filing procedures for drug development or medical device certification, because of the global market.

    • Does your website contact us page have a form? The global market we love to sell to can easily fill out contact us forms or request downloaded material. Once that happens their name enters a sales or marketing database.

  4. Do you have the name of any E.U. resident in your CRM, marketing automation system, bulk email system, website membership (login), project management system, or Outlook/email directory?

    • This is the one that gets most of us. Maybe you are not directly intending to sell into Europe, but you probably have someone’s name or email. Any personal information or highly sensitive information is regulated.

GDPR provides a uniform approach to data collection in a large group of countries. Many other countries and some US states have data protection laws. What makes GDPR unique is the size of the effort and the size of the penalty. The max fine is 4% of gross revenue up to ~$24 million. Big companies, like Google, were very quick to get in line with the regulation. Even certain apps, like Waze, are being much more explicit by using notifications to indicate they know where you are.

Part 2 in this blog series will provide tips on how to prepare for GDPR.