Most people received updated privacy notices from several websites they frequently visit over the last several weeks, but very few know why they received them. Most of it was prompted by the General Data Protection Regulation (GDPR), that was approved by the European Union back in 2016 and went into effect on May 28, 2018.
If you own and operate a business in California, surely you don’t have to worry about some regulation passed by the EU, right? Not necessarily.
What is GDPR?
GDPR is the largest, sweeping change in data privacy in the last 20 years. The regulation concerns the processing of an individual’s personal data to include its collection, storage, transfer, and use. It gives the individual who is a legal resident of one of the 28 EU countries certain control and rights over their own data, by mandating how businesses manage and store collected data.
The regulation gives 8 fundamental rights to the data subjects:
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure (a.k.a. the right to be forgotten)
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Does GDPR Apply to My California-Based Business?
If you own and operate a business in California, the first thing you should know is that the GDPR applies to any company or organization anywhere in the world that employs 250 or more people and processes the personal data of at least one EU citizen.
In California, this is not a new concept. Californians enjoy a distinct advantage, in that they were the first state in the U.S. to introduce a law concerning data breach notification. The law was created to give early warning to those at greatest risk of identity theft, which is strikingly like Articles 33 and 34 of the GDPR.
There are a lot of nuances to GDPR. If your California-based business has a physical presence in the EU, then you must be GDPR compliant. If, however, your business operates only in the US, it still may fall under the scope of the regulation’s requirements.
- If your California-based business has a website and markets products outside of the U.S., you will need to ensure compliance.
- If you conduct business that requires GDPR compliance of its vendors and contractors, you must also be compliant.
- If you wish for your business to have more prospects for establishing lasting business relationships with other companies that are mutually beneficial, it would benefit you to be compliant.
GDPR Doesn’t Just Apply to Online Transactions
While GDPR was established to be technologically neutral, the regulation does state that it applies where the processing of personal data is automated, as well as not processed by automated means but where the data is integrated into a filing system. The latter may easily apply to information kept on physical paper; meaning physical records that contain personal data fall under the jurisdiction of the regulation.
As a security risk, printed records are mostly overlooked. Yet, certain types of companies like legal, financial, and medical agencies use large amounts of physical, printed documentation. Not all agencies, however, take stock of what information they store in printed form. Though it would be in their best interest to do so.
How to Proceed
While the GDPR was designed to keep large businesses processing personal data in check, the way it is written makes it so that a broad range of documentation must be indexed, kept, and readily available for access to be compliant. Any processed data falls under its jurisdiction.
The regulation outlines very high penalties for violation, and at this point, it’s unclear exactly how GDPR will be enforced. A smart business owner in California will want to set their procedures so the unthinkable won’t happen, even if their business is a small one.
If you’re certain your California-based business falls under GDPR and you don’t know how to proceed, we can help. Alvaka Networks is prepared to help you learn how to achieve GDPR compliance for your business and will help you implement it. Our professionals will guide the work of your team or do the work for you. Contact us today and we’ll get started.
If you are interested in learning more, visit our GDPR page and request a free consultation!