Author: Cassie Scott
The European Union’s General Data Protection Regulation takes effect May 25, and requires major changes to how companies collect and store personal information about Europeans. Is your business compliant? If not, you’re risking fines and lost contracts.
To get the scoop on the GDPR, we spoke with Brian McGinnis, a GDPR and data-security expert, and a partner at Barnes & Thornburg LLP in Indianapolis.
The GDPR specifies how Europeans’ personal information can be collected, stored, disclosed and used. The law is designed to provide citizens greater protection and control over their data. Photo Credit: valuebound.com.
What is GDPR?
McGinnis said this new European Union regulation updates the EU Data Directive of 1995, which regulated how Europeans’ personal data are processed. “A lot has changed with technology and the internet since 1995,” he said.
The GDPR specifies how Europeans’ personal information can be collected, stored, disclosed and used. The law is designed to provide citizens greater protection and control over their data.
Does the GDPR Apply to Me?
Although the GDPR only regulates how Europeans’ personal data are processed, it affects how organizations worldwide operate. That’s because it applies to any company that controls or processes EU residents’ personal data. The EU GDPR Compliant website defines these terms.
McGinnis said the GDPR affects most ATA-member companies. “The nature of business today is that people are generally open for business, and take orders from all over the place, and market all over the place,” he said. “Therefore, GDPR applies to a lot more companies than you’d initially think.”
McGinnis recommends all companies conduct an analysis and ask, “Does GDPR apply to us?” If so, they likely must make changes to comply. He suggests business owners learn and understand what personal data are coming into their company, and how it’s collected, stored and used.
Once they realize what information their company has, they can rethink how they collect, store and use that information. They must also decide how to manage information, improve those processes, and make changes to comply with the GDPR.
By complying, they’ll address another big issue for companies: data breaches. Better data collection and storage processes help companies respond and react to a breach, McGinnis said.
By complying, they’ll address another big issue for companies: data breaches. Better data collection and storage processes help companies respond and react to a breach, McGinnis said. Photo Credit: ATA.
“Ideally, GDPR provides more transparency, notice, choice and control to people over the uses of their information,” McGinnis said. “These changes are best practices for organizations serious about protecting people’s information, and being open and transparent about your intentions with the information.”
Companies that don’t comply with the GDPR risk fines, penalties and lost contracts and business. McGinnis said the new regulation provides regulators more enforcement capabilities. Authorities can fine violators up to 4 percent of their annual global revenue.
Also, as large companies make changes to comply, they require vendors and business partners to comply. Companies that don’t comply also risk losing business to competitors that follow the rules. After all, it’s bad business to work with companies that ignore laws and don’t strive to protect customers’ personal information.
The GDPR can seem intimidating and confusing, but Wendy Lang, ATA’s membership manager, said the ATA can help.
“We value our members’ time, and understand that running a business requires many moving pieces to operate smoothly,” Lang said. “GDPR is one of those moving pieces. We strive to provide the best possible resources and information to help members comply with the GDPR. Please use ATA’s resources to learn how to protect your business.”