Businesses in Alabama: What Does the General Data Protection Regulation (“GDPR”) Mean for You?
by Michael A. Vercher, Partner
The General Data Protection Regulation (“GDPR”) is a regulation that protects the personal data and privacy of European Union (“EU”) citizens. It goes into effect on May 25, 2018. If you are thinking that the GDPR has no possible impact on your Alabama-based business, you may be right – but the impact of the GDPR has the potential to reach far beyond the EU itself, and you need to look at the regulation and its potential impact closely.
The GDPR was enacted by the European Parliament in 2016, and it replaces a 1995 data protection directive in response to a growing worldwide concern over privacy. Generally speaking, it requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states, but it also regulates the export of personal data outside the EU.
A main goal of the GDPR is to strengthen a customer’s ability to control their personal data as it is collected by companies. Among its many provisions, the GDPR requires plain language disclosures about what personal information a company keeps and what it does with that data. A customer must also be allowed to easily withdraw their consent, and only someone with “parental responsibility” may opt-in to data collection on behalf of a person under the age of 16.
Like most regulations, the GDPR’s provisions will be open to interpretation. By way of example, a business is required to notify customers of a breach “without undue delay.”
If your business collects data on EU citizens, including the information contained in a typical online transaction, you need to take a close look at the GDPR. The stakes are high. Punishments for a violation of the rules can include fines of up to 4 percent of annual global turnover or 20 million euros (approximately $24 million dollars), whichever is greater.