GDPR: how a new data privacy regulation may impact you


GIF by Maria Philomena Nevada.

Maria Philomena Nevada
Photo Editor

It happens every time you open your inbox these days. Another “we’ve changed our privacy policy” email from a company arrives in your inbox. However, unless you follow tech and policy commentators on Twitter, you may be unfamiliar with the cause: “GDPR.”

“GDPR,” short for “General Data Privacy Regulation,” is the new data privacy regulation from the European Commission, the executive arm of the European Union. The regulation aims to give EU citizens more control over their data privacy by establishing a new standard for data collection and processing.

Despite its EU origin, GDPR actually poses a challenge to American companies and companies worldwide. The regulation applies to any company or organization, regardless of origin, under certain circumstances.

In Article 3 of the regulation, it states:

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

If an American company has European customers or clients and is collecting and processing personal data—depending on how the data is being used—it could be subject to GDPR.

The punishment for noncompliance and infringement, according to the European Commission’s website, can “include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.”

Currently, 20 million euros is equivalent to more than $23 million.

Friday, May 25, was the deadline for companies worldwide to be in compliance with GDPR.

Coming into compliance with the regulation will depend on the size of company or organization (including nonprofits), the kind of data they collect and the scale of processing. The European Commission, on its website, offers both a Code of Conduct and a certification mechanism, both of which are optional, not mandatory.

The inconvenient sudden influx of privacy policy updates to your inbox are the ripples of a general panic among companies worried about being found in noncompliance.

The flipside? American citizens are wondering about how their data privacy is being respected—or not.