In May 2018, the EU’s GDPR (General Data Protection Regulation) will go into full force.
GDPR is a set of regulations protecting EU consumer data and covers businesses both inside AND outside the EU. In other words, if your U.S. company sells goods or services to people in the EU, you must protect their personally identifiable information as prescribed by GDPR.
Like many U.S. data protection regulations, GDPR is broad but short on specifics. Part of this is because it will allow each EU country to provide its own specifics. GDPR covers data breach notifications, user consent, data sharing, data protection for children, and a number of other privacy issues.
If you don’t sell consumer products or services to EU consumers, or maintain any data about EU consumers, you are not required to comply with GDPR. And since most high-profile cloud vendors and SaaS applications (e.g. Amazon Web Services, Microsoft Office 365) plan to become GDPR compliant, we don’t expect many of our clients, even those with EU consumers, will need a lot of technology changes.
As a first step, if you do have EU consumers, we strongly recommend you contact your legal counsel to discuss whether you need to comply with GDPR regulations, and if so, reach out to us so we can help evaluate how your technology infrastructure may be impacted.