Since it became effective on May 25, 2018, the General Data Protection Regulation, or GDPR, has bound U.S. companies in matters of privacy and data security. Specifically, the regulation requires companies to take certain measures to protect personal data when clients or customers hail from the European Union. You might be wondering why a North Carolina company needs to know anything about an EU law. It turns out that the regulation applies not just to EU companies, but also to those outside of the EU.
Here, we provide a brief overview of the GDPR, discuss how North Carolina companies can collect consumer data while still complying with the regulation, and note the potential consequences of violating the regulation. Finally, we will briefly discuss how an attorney specializing in data privacy can help your company comply with the GDPR.
What Is the GDPR?
The GDPR is a regulation that controls the collection and use of personal data of EU users. It was enacted to prevent the misuse of personal data and give EU citizens and those living in the EU control over how their data is used.
The GDPR defines personal data as information belonging to an identifiable person (i.e., not anonymous) that a company collects from EU users. Personal data includes (but is not limited to) information such as:
- Email address
- Physical address
- Identification number
- Telephone number
- Financial information
- IP address
- Gender, race, political, or religious information
Does My North Carolina Company Have to Comply With the GDPR?
The short answer is that, yes, most North Carolina businesses have to comply with the GDPR. While the GDPR is a European regulation, it applies to any company that offers goods or services to EU users or that collects data from EU users.
It is important to note that “EU users” are not just EU citizens. The definition includes all individuals who are physically located in the EU and any EU citizens, no matter their location. This means that if your company sells physical products online, sells services online, or otherwise collects information from customers on the web, it will need to comply with the GDPR, as it is likely that EU users will visit the company website and enter their information.
No matter the type of company or the size, if you gather any personal data at all, the GDPR applies. This means that if you collect consumer information on your website via a lead magnet or opt-in (where you collect a user’s name and email address), for example, you must comply with the GDPR.
How to Comply
There are a few steps companies that collect personal data can take to stay compliant with the GDPR.
While each company is different and should certainly consult an attorney to ensure that its specific practices are GDPR-compliant, at a minimum, companies should consider the following measures:
- Obtain users’ consent: If you plan to collect and keep personal data, you must specifically request the data from the user. Translate this request into clear, concise language so that website visitors understand their data is being collected.
- Provide users access to their own personal data: You must provide a user access to your company’s records of their personal data that you collected and stored. This must be free of charge and include an explanation of how the company uses the data.
- Delete personal information when requested: If a user requests that his or her personal data be deleted, you must do so. Users can ask this of a company at any time, and you are obligated to respect those wishes.
- Provide notice of a data breach: If a data breach occurs, you have 72 hours to report the breach to a reporting agency and to any customers who were potentially impacted.
Steps to Take to Keep Consumer Data Safe
While the GDPR may at first sound overwhelming, there are practical steps companies can take to keep consumer data safe.
If your company is large and collects substantial amounts of personal data, consider hiring a person to fill this role. It would be this person’s responsibility to learn the requirements of data collection and use so that any user requests (such as deleting personal information) and breaches can be dealt with by this person. Clearly inform users on your website who is responsible for GDPR compliance and direct them to this person for any requests, questions, or concerns.
Second, spend time developing an online presence that takes into account the requirements of the GDPR. The more time you spend up-front, the fewer issues you will have in the future. This will likely include placing clear language on your website, developing easily accessible policies, and providing users with information on how they can contact the company and inquire about their data use.
Consequences of Non-Compliance
The potential penalties for non-compliance with the GDPR are staggering. Depending on the nature of the non-compliance (such as how long the violation lasted, what types of personal data was involved, and what steps were taken to fix the issue), businesses can face fines of the greater of $20 million or four percent of the company’s annual revenue.
While it is unclear how EU regulators would collect fines from a North Carolina business with no ties to the EU (other than EU customers or website visitors), business owners should be aware of these potential monetary consequences and do all they can to comply with the GDPR.
How a Data Privacy Attorney Can Help Your Company
An attorney specializing in data privacy issues can assist your company with developing privacy policies, reviewing your online security processes, and more, to ensure you comply with the GDPR.
Whether you are a one-person startup or a fast-growing North Carolina business, contact our data privacy attorneys today to learn how we can assist you. At Wilson Ratledge, our attorneys regularly advise our clients on issues of data privacy and keeping consumer information secure. For questions or assistance, reach out to us by calling 919-787-7711 or via our contact form below.