Many businesses in the U.S. assume that the General Data Protection Regulation (GDPR) doesn't apply to them since it's a European-based regulation. Think again. The boating industry is a global marketplace. Your customers and prospects are citizens of various countries throughout the world - even if they reside in the U.S. If your customers and prospects visit the EU, they are protected by GDPR while there.
When your business has any communications or transactions with customers via phone, email, social media or website, it is highly likely that your business stores their personal information/data in some way. And, the storage of personal information is what GDPR was designed to protect.
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) represents the most significant change in data protection law since the inception of the Internet, taking into account how information is collected and stored differently since the rise of the digital economy which rendered the previous legislation, the Data Protection Directive of 1995, obsolete. GDPR was passed in 2016, with enforcement beginning last month.
The GDPR’s scope is significant as it covers companies and organizations that utilize or store personal information of European citizens globally, natural persons in the EU or companies operating in the EU; therefore, its remit includes most organizations anywhere in the world. A company is subject to GDPR compliance if it:
- Has a presence in any European Union member country. Presence can be as simple as having a website that can be viewed in that country.
- Has customers or clients based in any member country of the EU. Customers or clients are people that are buying something from you or are interested in buying a product or service.
- Works with suppliers based in any member state of the EU. Any parts, services or contractors that are based in Europe count.
- Conducts marketing efforts in any member state of the EU. Emails, display ads or promotions that are delivered to EU citizens can be considered as “marketing efforts.”
- Has employees, investors, or customers who have citizenship (even dual citizenship) of any member state of the EU. The US is a nation of diversity with residents and citizens from all over the globe. It’s estimated that anywhere between 1 and 8 million Americans have dual citizenship.
What is considered personal data?
According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, or a computer IP address.
What are the consequences of non-compliance?
The most serious penalties include fines of €20 million or 4% of global turnover, whichever is greater.
What does GDPR-compliant mean?
The GDPR requires organizations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure. To achieve that goal, the law regulates all areas related to data management and processing, from obtaining user consent to setting up company-wide data protection practices and handling data breach incidents.
My business doesn’t sell boats outside of the U.S., so how does this impact me?
The impact of GDPR is far-reaching, regardless of whether you are located or do business in the EU or US. It’s important that you educate yourself about GDPR and consult legal counsel if you think it is necessary.
What is the media saying about GDPR?
- These Companies Are Getting Killed by GDPR - CNN (May 11, 2018)
- US Businesses Cannot Hide from GDPR - Forbes (March 27, 2018)
- Report: 60% of companies likely to miss GDPR compliance deadline - TechRepublic (April 17, 2018)
- Despite Impending Deadline, Most Organizations Remain Unprepared to Comply With GDPR - Baker Tilly via Business Wire (April 24, 2018)
- Businesses are worried about the challenges of managing data in the lead up to GDPR enforcement - Calligo Press Release (Oct. 24, 2017)