Do You Really Have to Comply With GDPR?
"My partners and I launched a software-as-a-service (SaaS) application earlier this year.
"We've gotten a good response to our product. Virtually all of our customers so far are in the United States and Canada, but we've started getting inquiries from potential customers in Europe.
"We're aware (thanks to your column) that Europe has a very detailed regulation on privacy that's very costly and difficult to comply with. While we don't want to turn down European business, we are nervous about the cost of complying with this regulation.
"Can you address this in a future column?"
The regulation this reader is talking about is the General Data Protection Regulation, or GDPR, which was adopted by the European Union in May 2018 (you can find the official text at http://www.eugdpr.org, but a more user-friendly version can be found at http://gdpr-info.eu).
The GDPR contains 90 -- count 'em, 90 -- requirements for companies throughout the world that do business with European consumers. Among many other rules, companies must do the following:
-- Obtain "clear and affirmative consent" for process and use of personal data (Articles 13, 14, 15).
-- Not hold data for any longer than personally necessary, not change the use of the data from the purpose for which it was originally collected and delete any data at the request of the consumer (Articles 17, 18) -- the infamous "right to be forgotten."
-- Appoint a data protection officer if they are monitoring and processing customers' data on a large scale (Article 35).
Companies that don't comply face fines of up to 4% of global annual revenue or 20 million Euros, whichever is greater (Article 79), and European regulators have already brought suits for GDPR violation against large U.S. tech companies with a substantial European presence.