If your organization collects data from citizens of the European Union, you should be aware of the new General Data Protection Regulation (GDPR). Effective May 25, 2018, GDPR will introduce a major shift in how users' personal data is handled by businesses.
Instead of attempting to deal with a patchwork of national laws, GDPR applies to entities controlling or processing personal information in the EU and to entities outside the EU performing the same activity regarding people within the EU. This could mean your American company may be required to comply.
GDPR's concept is simple: users, not businesses, should control their personal information. Nevertheless, the implementation of that simple concept may be tough thing to do. Currently, organizations that harvest and monetize user data could, up until now, inform users of that practice by using long, unreadable privacy policies.
That will no longer be acceptable under GDPR. Users will now need to separately agree to some uses of their personally identifiable information (PII) by a business. GDPR greatly expands the definition of PII to include any unique ID, including cookies, RFID tags, or other information that, alone or combined with other information, could be used to identify or single out an individual.
Complying with GDPR will involve a thorough study of how your organization collects, stores, and uses the PII of your EU users. This includes how third parties use your data.
Know all the information collected, plus data sources, and why they are collected. Learn where that data is stored, and for how long. Know who has access and how the data is shared. Under Article 13 of the GDPR, the users must be informed about the storage period for their PII data, how they can access, rectify, erase, transfer, or restrict the processing of personal data; their right to withdraw consent; their right to complain to supervisory authorities; and whether the information provided will form part of a profile. "GDPR Compliance Tips for Small and Medium-Sized Businesses," www.cobar.org (Feb. 2018).