What Should You Know About Collecting Personal Information from EU Users?

Hardly a day goes by without news of another major data breach. As breaches become more common, security concerns are a much higher priority for many businesses. The average cost of a data breach is $4.24 million, which represents a 10% increase from the average cost only three years ago. But data breaches aren’t your only concern. Noncompliance with personal information regulations can also result in hefty fines.

The global nature of commerce further complicates the matter of compliance. It is much easier for businesses now to attract customers worldwide, which is a huge benefit since your customer base can grow exponentially. Unfortunately, many nations have different laws to protect personal information, and staying abreast of all the different regulations can be a monumental challenge.

Working with customers in the European Union (EU) can be particularly challenging since these countries have stringent data protection regulations. And even if you move customer data out of the EU, your company must still treat standards of care and protection as the data would receive within any EU country. Therefore, before collecting, storing, or moving any personal data from users in the EU, you must understand how to do so legally – or risk fines and penalties for noncompliance.

Personal Data & GDPR

Personal data within the EU is protected by the European General Data Protection Regulation, or GDPR, which went into effect in 2018.Before this regulation, companies were free to collect and store as much personal data as possible. They could also store it for any length of time. At a fundamental level, the GDPR sought to give individuals more control over their data and reduce the risk of data breaches or the mishandling of personal information online. It also wanted to ensure that companies cannot exploit weak data protection laws in other areas of the world, which is why the GDPR requires that the information be treated similarly no matter where the business may be located or using the data.

The GDPR defines personal data to include names, email addresses, locations, IP addresses, and browser histories. IT also considers web server logs as personal data. Companies can collect this data, provided the users remain anonymous, but it must be held for the shortest time possible. This regulation also discourages collecting certain sensitive information unless required by law. Examples include race, ethnicity, political affiliation, religious affiliation, union membership, genetic or biometric data, medical information, and sexual orientation.

GDPR Compliance

Strategies to comply with the GDPR to allow companies to collect data still include ways to separate identity from the data itself or make it useless to anyone who might obtain it. Examples include:

Anonymization: This process strips all traces of identity from the personal data so that nobody can identify the individual that corresponds to the data.
Pseudonymization: This process is similar to anonymization, except that the information about the identity and the data itself is stored separately and requires extra information before they can be reconnected.
Encryption: Encryption codes personal data so that it doesn’t make sense to anyone who doesn’t hold the decryption key. It is a complex process that renders the data useless in the event of a breach.

How Costly Are GDPR Fines?

No matter the size or location, any organization can face significant GDPR liability for data from users in the EU. GDPR fines are designed to ensure that even one mistake related to personal information can be costly. And the penalties are severe. They are broken into two tiers to account for the type of violation and the severity of the infraction.

The less severe penalty allows for penalties of up to €10 million or 2% of the firm’s global annual revenue from the preceding financial year, whichever is higher. The more serious penalty is reserved for infringements against the right to privacy principles. In these cases, the penalty can be as high as €20 million or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher.

A Better Way to Achieve Compliance

As global commerce becomes easier, complying with the GDPR will become more important since the fines are incredibly steep. And it is worth noting that the law is far more complex than the summary presented here. There are 26 Privacy Shield Principles that regulate how U.S. businesses undertake EU commerce and its related data.

Moving and storing data from users in the EU legally is very complicated. Managed IT service providers can simplify this process. Most are intimately familiar with GDPR compliance requirements, so you can rest easy knowing your company isn’t at risk. For more information about managed IT services, contact Sagacent Technologies today!

Sagacent Technologies offers technology management and support, including proactive/preventative maintenance, onsite and offsite data back-ups, network and security audits, mobility solutions, disaster planning, and emergency business resumption services. The company serves clients of 10 to 150 employees within the Silicon Valley region.