That’s right! We’re starting this article with a good-ole summary. Why summarize an article before you it starts? Simply because lots of people are talking about it and almost no one fully understands it. GDPR has confusing legal, tech, and business overlap, so it’s easily misinterpreted. We wanted to get the whole, “Omg! The Sky is Falling!!” junk out of the way first.
So what should you know? First, read what GDPR is below. Second, know that if you are business operating in America who doesn’t serve clients living in Europe and has less than 250 employees, your risk is low. Honestly, it’s fairly safe to say that if you’ve never even heard of GDPR, then this probably doesn’t concern you – because if you knew what it was, you’d have been preparing for a while now.
With new European data laws, confusion grows for American businesses.
So what is GDPR ? GDPR stands for General Data Protection Regulation. It’s a set of laws passed in the EU that deal with how businesses collect and store information about European Union residents.
The GDPR goes into effect on May 25th, 2018. It creates consistent data protection rules all across Europe and even applies to companies who process and store data for individuals living in outside of European.
Due to the broad scope of these laws and the fact that American companies can be held liable by EU entities, there seems to be confusion and fear over who is responsible for what information and if there is any risk for businesses that are not located in the EU.
Clearly, these kinds of laws are controversial. In theory, the laws are great because they incentivize companies to protect customer data, especially in the case of a breach. However, it’s our opinion that this is a “gut reaction” law – meaning, that the laws only seem to apply once a company is caught as no external entity can effectively monitor if a company is abiding by the regulation.
Because everyone here is rusty on their international law, it’s impossible for us to fully analyze the implications, reach, or legal nuances of GDPR. However, we can comment on aspects of GDPR that are clear and should put some businesses minds at ease.
Who does this apply to?
The GDPR was written to address companies that store or process personal information about EU citizens that are currently living in the EU at the time the data is collected. A company DOES NOT have to have a field office or physical presence in the EU to be held to this law. This means that American companies could be at risk.
The most impacted businesses are the ones that have a presence in the EU or process data on European residents.
Who does this NOT Apply to?
There seems to be one very important detail that pundits keep ignoring. This detail applies to most small businesses or medical practices operating in America.
The GDPR stipulates that the law only applies if the person you are collecting data on is in the EU when that data is collected and is an EU citizen. Of course, the rest of the law is so nebulous that it’s totally forgivable that this detail has been overlooked.
But the bottom line is this: If you are business operating in America who doesn’t serve clients living in Europe and has less than 250 employees, your risk is extremely low.
Why so much fear?
The main problem is that GDPR is written in such a way that it seems to affect just about everyone. Additionally, it’s very technical. You have to define things like “Data Provider” vs “Data Processor” and quite frankly, we don’t even really know where to draw the line with some of those definitions. Furthermore, it stipulates that a company must provide a”reasonable” amount of protection while not defining what the term “reasonable” even means!
The heart of the law is there, but the implementation and rules seem to provide no clear-cut examples of who is responsible for what. This is why we call GDPR a “Gut Law,” because it seems that policymakers simply want those whose data has been breached to be punished after the fact. It doesn’t seem to stop anything, but it does make everyone feel better after it’s happened since there are stiff legal penalties involved.
Because of how confusing GDPR is, it’s hard to blame people. But ClearPG has seen several articles put forth in the service industry suggesting that the sky is failing. The sky is not falling.
We read all of these articles so that you don’t have to. But if you want to fact-check us and have literally nothing better to do with your time, feel free!