On May 25, 2018, the General Data Protection Regulation (or “GDPR”) came into force in the Europe Union. Some may have heard of this piece of EU legislation – most likely because it has to do with data and privacy, which are hot topics because we all just watched Mark Zuckerberg, founder of Facebook®, get rolled at a Congressional hearing because of his company’s practice of giving away folks data.
So, what exactly is the GDPR? And, why should companies (especially small or medium size companies in Vermont no less) care?
In a nutshell, the GDPR defines new “rules” to govern the relationship between EU residents and any company that collects or obtains their personal data (like name, address, email address, and telephone numbers). These rules heavily favor the individual’s ability to control how companies exploit their personal data. And notice the emphasis on “any” here – these rules are written to apply to companies “not established in the Union” that perform activities on personal data (including collecting personal data), where those activities relate to “the offering of goods or services” to EU residents.
The rules create a broad mandate. Consider, for example, Company USA that does direct sales of goods through its own website, where the purchaser has to create an account or simply provide their name and email address (which Company USA may use for follow-on communications about new products, conduct satisfaction surveys, or simply to provide confirmation of purchase). As written, Company USA might need to comply with the rules of the GDPR where the purchaser is resident in one of the 28 countries of the EU.
Time will tell how this new data paradigm impacts companies in both in the EU and U.S. Meantime, Company USA (and others here in the U.S.) might consider a few, basic steps toward compliance with the GDPR:
- Review your customer base to identify whether you do business with any EU residents (or what the GDPR calls “data subjects.”)
- Audit how you collect, store, and use personal information from customers.
For additional information or questions, feel free to contact Michael Wasco, Head of the Patents + Intellectual Property Practice, at firstname.lastname@example.org.