Even more importantly, even though the European Union is behind these changes, nearly all US companies will be impacted in some way or another. Both companies that do business online and/or have a website will need to revise their own policies to some degree to be in compliance with the latest version of the general data protection regulations.
One of the less publicized changes to the general data protection regulations, which went into effect on May 25th of this year, is article three.
In this section, guidelines are set out for how to handle European Union vs. United States residency of consumers. The latest changes apply to European Union consumers, but specify that no actual money needs to be spent for the general data protection regulations to take effect. In addition, websites that target their marketing at European Union residents, in particular, will also be subject to the latest regulation changes. For example, websites that either reference the European Union or alter the language on their site to coincide with that of European Union consumers.
Some key industries in the United States that will be affected by the new general data protection regulation are hotel, e-commerce, travel, and software services.
These latest changes to both data collection and Internet privacy need to be taken seriously by any company with an audience or customer base in the European Union. Terms and conditions are one area that all companies need to pay special attention to. They need to be clear and understandable to the average consumer. It’s no longer as simple as having someone check a box without really knowing what they are consenting to. Furthermore, companies will also be expected to ask permission for all means of data collection and sharing.
Companies that currently follow the old general data protection regulations, in regards to security standards, shouldn’t expect to be overwhelmed by these changes.
The biggest hurdle companies are going to face is the new 72-hour breach window. The regulations now state that security breaches must be reported to either the European Union or consumer themselves in 72 hours or less. Who companies have to report this information to is dependent on the severity of the breach. Minor breaches can be handled by simply notifying the European Union, however, major breaches must be handled by notifying all individual consumers who may be impacted.
The best way for companies in the United States to react to these new, stricter general data protection regulations is with haste.
The sooner companies comply with these regulations, the better off they will be both professionally and financially. Quick adoption of these new policies shows consumers that companies are trustworthy and that they respect their privacy. Also, complying with these new regulations right away helps to avoid racking up fines and/or tarnishing your company’s reputation.