This compliance hurdle needs to be on your radar screen if you do business in the EU

European Union flags waving in front of the EU Parliament building in Brussels
The General Data Protection Regulation gives European consumers the “right to be forgotten." (Image: artJazz/Getty Images)

Companies that interact with European customers have 113 days to make sure their web strategies sync with the General Data Protection Regulation, or GDPR, which goes into effect on May 25.

The point of the regulation is “to harmonize data privacy laws across Europe, to protect and empower all European Union citizens’ data privacy and to reshape the way organizations across the region approach data privacy,” according to the EU’s GDPR website. But the 28 EU countries aren’t the only ones it affects. Any organization in any country that processes and holds EU residents’ personal data must comply.

GDPR defines personal data as “any information related to a natural person or ‘Data Subject’ that can be used directly or indirectly [to] identify the person,” such as names, photographs, email addresses, bank account information, posts on social networking websites, medical information or IP addresses, according to the website.

The regulation, approved in April 2016 by the EU Parliament, requires that companies provide a “reasonable” level of protection for personal data and enables consumers to consent to having companies store and process their data.

Additionally, GDPR gives European consumers the “right to be forgotten,” meaning they can ask companies to erase their personal data and stop disseminating it, and the “right to access,” which lets consumers confirm with companies what data they’re using and why. Businesses must report data breaches to supervisory organizations and affected individuals within 72 hours of the incident’s detection.

What’s more, the regulation states that consumers can transmit their personal data from one data controller, or company, to another, essentially giving consumers ownership of their information.

Companies that don’t comply with GDPR face fines of up to 4% of annual global turnover or 20 million ($24.839 million). More than 50% of companies expect to be fined for noncompliance, according to a survey from Ovum.

To understand how GDPR could affect U.S. businesses, consider that it could wipe 2 percentage points from the revenues of Google’s parent company, Alphabet, according to a Deutsche Bank analysis that Business Insider reported on.

“Deutsche Bank estimates that about 33% of Google's revenues come from Europe, and within that population, 30% of users might opt out of data sharing. That would hurt Google's ability to deliver ads,” the article states. To get ready for GDPR’s enforcement, a CMS Wire article recommends that companies ask themselves what data will be affected and what changes need to be made to make sure that data meets the requirements. Additionally, companies should make process changes and start new platforms before May 25 so they have time to iron out any problems.

PwC’s “GDPR Preparedness Pulse Survey” found that 68% of respondents expect to invest $1 million to $10 million in GDPR compliance efforts, while 9% said would likely spend more than $10 million. Other companies are looking to reduce their European presence, with 26 percent of PwC respondents saying they plan to leave the EU market.