Set to go into effect in May, the General Data Protection Regulation (GDPR) is a new set of guidelines designed to safeguard how personal consumer information is captured, shared and stored by organizations throughout Europe. More specifically, the GDPR exists to:
“(H)armonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
But does the world really need new privacy laws? After all, most businesses already practice a certain level of discretion regarding their customers’ personal information. Plus, there exists numerous privacy controls at nearly every level of society.
In the U.S., for example, merchants that handle credit card information must follow the data security rules of the Payment Card Industry (PCI). Failure to remain PCI compliant can result in stiff penalties and fines.
Similar protections exist under the Health Insurance Portability and Accountability Act (HIPAA), which governs how patient records and medical information can be shared.
Why Introduce the General Data Protection Regulation?
Although most privacy laws exist to shield users from negligence and theft, the GDPR’s primary goal is to establish data protection as a “fundamental right” across the board.
In an age where most information is digitized, this distinction is crucial.
A user’s personal data can now be sent around the globe in milliseconds — for fractions of a penny. With this unprecedented convenience, companies are increasingly learning how to monetize these personal details.
Facebook and Google, for example, routinely collect information about their users before selling these detailed profiles to the highest bidder. According to some estimates, the average user’s personal searches, posts, shares, likes and preferences are worth more than $250 to Facebook and nearly $360 to Google.
This monetization potential is especially high in the U.S., where consumer protection laws tend to be weaker. The European Union takes privacy very seriously — and with the introduction of the GDPR, it hopes to establish a comprehensive set of international guidelines for all of its citizens scattered around the globe.
What’s in the General Data Protection Regulation?
The new privacy rules under the GDPR are far-reaching, with EU citizens receiving unprecedented control over how their personal information is used.
Below are some of the key pillars of these privacy protections.
- Consumers have the right to receive copies of any information collected about them — and how that data is being used or shared.
- Consumers also have the right to control this information, including requesting that companies delete their personal data.
- Companies must provide their users with opt-in forms written in plain speak. This means no more complex legalese or terms of conditions.
- Companies can no longer collect information on minors (under age 16) without the express consent of parental guardians.
- Any data breaches that might compromise a user’s personal information must be reported within 72 hours.
Failure to follow these GDPR guidelines will result in steep fines for non-compliant organizations. According to the current rules, penalties can be as high as €20 million or up to 4 percent of a business’s annual turnover.
As a U.S. Merchant, Why Should You Care About the GDPR?
The GDPR is a set of EU rules designed to protect EU citizens. So, how do these new guidelines affect your stateside business?
The GDPR provides global protection for EU citizens, no matter where their personal information travels. You might be foregoing concern in the United States, but if any of your customers are European, you’ll be expected to follow these new privacy guidelines — or face the risk of hefty penalties.
There are no exceptions to this rule. As a U.S. merchant, you basically have two choices moving forward:
- Option 1 — You can decide to never do business with EU consumers ever again. This is impossible for most eCommerce merchants. Even if you run a mom-and-pop store in Peoria, Illinois, there’s no reasonable way to prevent Europeans from walking through the door.
- Option 2 — You can follow the GDPR guidelines and do everything in your power to remain compliant.
Even so, compliance won’t be easy.
This is especially true for smaller merchants that lack the resources to hire a Data Protection Officer (DPO), let alone an entire department dedicated to consumer privacy. Just look at how much stateside merchants have struggled with the switch to EMV credit card processing.
U.S. multinationals will have an easier time complying with the GDPR. They have more resources to help with the transition. Still, making the switch for these larger players won’t necessarily be easy, either. And U.S. multinationals will likely become the initial “test cases” that help determine how broad and far-reaching the GDPR truly is.
Stay Tuned for More Updates About the GDPR
The General Data Protection Regulation won’t go into effect until May, but at BluePay we’ll continue to monitor these changes and let you know what, if anything, you need to do on your end. If you have specific questions about the GDPR in the meantime, schedule a free consultation today.