Here’s a new acronym for executives at global companies to learn: GDPR.
What does GDPR stand for? It is the abbreviation for General Data Protection Regulation, which is a new set of rules that companies collecting data on European Union citizens must soon comply with.
What’s the motivation behind GDPR? Year after year, news of corporate data breaches pop into the news, letting consumers know that businesses they’ve trusted have put their personal information at risk. These new rules are aimed at protecting EU citizens from future breaches.
If you serve customers who live in European Union countries, here’s an overview of the rules you’ll need to comply with — as well as the deadline by which you’ll need to comply.
What are the GDPR’s New Rules?
Since 1995, European Union countries have operated under data protection regulations that have grown increasingly outdated in the 21st century. In April 2016, the European Parliament passed GDPR to replace those outdated regulations.
The General Data Protection Regulation sets high standards for companies to follow in protecting the personal data and privacy of citizens in EU countries during transactions. In addition, GDPR addresses how companies can export personal data outside of the European Union.
But what is General Data Protection Regulation specifically? GDPR outlines protections for certain types of personal data, including:
- A customer’s personal identification information, such as name, address and identification numbers
- A customer’s online information, including IP address, cookie info, RFID tags and location
- A customer’s profile information, like racial identification, ethnic data, sexual orientation, etc.
- A customer’s health, genetic and biometric information
- A customer’s opinions and preferences, including political opinions
The 28 current European Union countries are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
Remember, the United Kingdom is still a member of the European Union, though it is expected to officially exit the EU at some point in the near future.
What Companies Must Comply with GDPR?
Are you affected by these new rules? Your business likely will be impacted. According to a PwC survey, 92% of American businesses are approaching the General Data Protection Regulation as a priority. That’s because GDPR will affect almost every business in the U.S.
The GDPR specifies that a company must comply if it:
- Has a presence in any EU nation
- Processes personal data of EU residents, even if it doesn’t have a presence in an EU nation
- Employs more than 250 team members
- Employs fewer than 250 team members but processes certain types of sensitive data related to EU citizens
That final bullet point is important, because it captures almost all businesses that aren’t captured in the first three bullet points.
When is the Deadline for GDPR Compliance?
Customers serving citizens of EU countries must move quickly to comply with the new GDPR rules: The deadline for compliance is May 25, 2018.
The General Data Protection Regulation directs that companies must provide a “reasonable” level of protection for the information outlined in the section above. The term “reasonable” may be intentionally vague, giving the European Union wide authority to levy fines and issue other consequences to companies that experience data breaches.
companies must provide a “reasonable” level of protection
For that reason, many companies are planning significant efforts to comply with GDPR rules. According to a report by Ovum, two-thirds of U.S. businesses even expect these new rules to force them to rethink their European strategies.
How Should Executives Approach GDPR Rules?
The same PwC survey suggests that 68% of American companies expect to spend between $1 million and $10 million on GDPR compliance efforts. Another 9% expect to spend more than $10 million.
Who will lead the compliance effort for your company, if needed? The General Data Protection Regulation suggests that a data protection officer, data processor or data controller would be best positioned to ensure compliance. At your company, you’ll want the team member who can answer questions like: What is GDPR compliance? And what does it mean for our company? Compliance is likely to extend beyond just one individual or team, though. Expect full compliance to include, not just internal data management, but also teams that work on product development, digital marketing, sales and other important parts of your business.
Non-compliance will be costly for companies doing business in the European Union. The General Data Protection Regulation calls for penalties of 4% of global annual turnover or €20 million — whichever is higher. Given these expensive penalties, experts predict the EU will collect upward of $6 billion in penalties just in the GDPR’s first year.
For further reading on the General Data Protection Regulation, go straight to the source. You can read the full text of the regulations here, and you can visit the EU’s webpage on GDPR implementation here.
JTB: Your Travel Partner in a Dynamic Global Market
New rules and regulations can quickly change your approach to doing business. At JTB Business Travel, we understand that our clients operate in a dynamic environment that demands responsive support and guidance from strategic partners.
As a comprehensive travel management company, we work with businesses large and small — including many that often send team members to European Union countries. When you need a business travel agency to support you in a rapidly changing environment, we’re here to help.
Contact us today about your companies business travel needs.