Any business in the U.S. that has an online presence and markets their products over the Web will have to know about the GDPR.
Starting May 25th, 2018, if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. The new law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
A financial transaction does not have to take place for the extended scope of the law to kick in. If your business collects personal data such as name, address, email, IP address etc., then the data would have to be protected GDPR-style.
Here are some key points to remember regarding the GDPR.
While obtaining data, consent needs to be explicit, clear and corroborative. According to Article 4 of GDPR, consent is defined as: “Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
Notification of data breach
If a data breach occurs, the supervisory authority needs to be informed within 72 hours of the happening. If the privacy of any EU citizens is at risk, they need to be notified as well. You’ll need to be vigilant and acutely aware of any actual or potential data breaches that may impact customers or individuals located in the EU.
Right to be forgotten
Pursuant to Article 17 of GDPR, every individual reserves the right to ask for the deletion of their personal data in situations when the data is no longer required: ” … in relation to the purposes for which it was initially collected or otherwise processed.”
With this in mind, be prepared for any customers you might have in the EU to request that you remove any information you have stored pertaining to them.