With one week left before the EU’s General Data Privacy Regulation (GDPR) takes effect, we have been fielding a lot of questions about how, or if, it applies to businesses here in Lancaster. Here are three questions to help you determine if you should worry about the GDPR.
- Who does it apply to?
It is easy to think that businesses here in the U.S. need not worry about the EU’s data protection laws unless you have stores or employees in Europe. But the GDPR’s reach is much broader than that. If you have the data of an EU citizen or use a service located in Europe, then the GDPR probably applies to you. Here are a few examples where the GDPR applies:
- You send email blasts and some recipients are in England (yes, England is still in the EU… for now!).
- You have a digital list of mailing addresses to send out physical mail and some recipients of that mail are in Italy.
- You use an online marketing service that processes your clients’ data on servers in Germany.
- What data is protected?
Okay, okay. So I have contacts in the EU on my mailing list. But names and addresses aren’t protected, right? Wrong. Unlike many U.S. laws, such as Pennsylvania’s Data Breach Notification Act, the GDPR is very broad in its definition of protected information. For example, under Pennsylvania law you need a name combined with some sensitive piece of data, like a social security number or bank account, before the law applies. But the GDPR applies to any identifying information. This includes names, email addresses, physical addresses, and social media names, plus all the sensitive stuff you would expect like financial and medical information.