In 2016, the European Union passed a data privacy law called the General Data Protection Regulation, or GDPR. This law regulates how companies and nonprofits handle personal information from people who are citizens of EU countries, regardless of where the citizen resides or works. This means that businesses all over the world must comply with the law every time they collect information from someone who is a citizen of the EU, even if both the company and the citizen are based in the United States. The deadline to comply with the GDPR is May 25, 2018.
GDPR defines “personal information” as any information that alone or with any other information can identify a living person. Examples are name, home address, business address, email, cell phone number, usernames/passwords, IP addresses etc.
These regulations will apply to you and your business if your organization has a location in Europe, employees working in Europe, offers goods or services to people in Europe (including over the internet), handles/collects personal information from people in Europe, or monitors the behavior of people in Europe (including website analytics such as location data, internet usage etc).
If these regulations will apply to you, and if your business has a website it is likely they will, you are encouraged to consult a professional familiar with the structure and details of the new law before the compliance date has passed in order to avoid the potentially heavy fines for improperly storing, using or sharing customer data in the future. For more information on the regulation, visit EUGDPR.org or download this FAQ sheet.