General Data Protection Regulation or GDPR: What You Need to Know

Learn about the General Data Protection Regulation and the requirements for GDPR compliance.

The General Data Protection Regulation (GDPR) will replace the Data Protection Directive in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data.  If you run a business in the U.S., why should you care? While it’s true that the GDPR focuses on EU countries, it does apply to businesses which offers goods or services in those countries, oversees the behavior of EU data subjects, or which manages, stores, processes, or monitors the personal information of any EU residents.  Here’s what you need to know about the GDPR.

GDPR Basics

The GDPR is a new, EU-wide privacy and data protection law.  It calls for more privacy protections in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.

Several key changes impacting the digital advertising industry include:

  • A broader definition of personal data that includes IP addresses and cookie identifiers.
  • Higher standards for establishing valid consent: Under GDPR, consent must be “freely given, specific, informed, and unambiguous” and made by a statement or by a clear affirmative action.  Companies are responsible for demonstrating that consent was given.
  • Personal data may only be collected for a specific purpose and may not be used for any new, incompatible purposes.

It also includes provisions on providing data breach notifications, safely handling the transfer of data across borders, and requiring certain companies to appoint a data protection officer to oversee the new GDPR compliance.

How Will GDPR Affect You?

If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe.  EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data.  You should be prepared to support people’s requests in a timely manner.  People have the right to request their personal data be corrected, provided to them, prohibited for certain uses, or removed completely.

How GDPR Differs from the U.S.

The United States has opted for a different approach to data protection.  Instead of formulating one all-encompassing regulation such as the GDPR, it chose to implement sector specific data protection laws and regulations.  These include:

  • The Health Insurance Portability and Accountability Act (HIPAA), a set of standards created to secure protected health information (PHI) by regulating healthcare providers.
  • The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, that seeks to protect the personal information of consumers stored in financial institutions.
  • The Federal Information Security Management Act (FISMA), a federal law part of the larger E-Government Act of 2002, that made it a requirement for federal agencies to develop, document, and implement an information security and protection program.

Data protection is also addressed by the Federal Trade Commission (FTC), which has the power to act against unfair and deceptive practices perpetrated by a large range of companies.

Is your company ready for GDPR?


General Data Protection Regulation

Service Areas: New York ShreddingWestchester ShreddingLong Island Shredding and more!