password security, private clubs

Should Clubs Be Worried About GDPR?

May 18, 2018

gdpr

I am sure the first response of many is “I hope not because I have no idea what it is."  That is a reasonable response and you shouldn’t feel alone because many businesses on this side of the pond are still trying to navigate how it applies to them.  For the time being, unless your Club has a high number of European members, then you probably should not be overly concerned about it. However, you should educate yourself on the GDPR regulations because it will more than likely set the stage for regulations to be implemented in the U.S. and throughout the world.

So, what is GDPR?  The acronym stands for General Data Protection Regulation. The bottom line is that this regulation is designed to help individuals protect their privacy and control their own data.   This regulation goes into effect on May 25, 2018. The key impact on US businesses is that it protects citizens of EU countries no matter where the website owner or company is based. Thus, if a US based company is doing business or collecting any data that is specifically targeting an EU data subject (person), then that organization must adhere to the regulations.

Some of the key regulations are:

  • Expansion of Private Information:  Under GDPR this definition gets widely expanded,  meaning that companies will have to re-examine what they consider to be “personal data.”
  • Handling, Protecting and Removing Data:  The most impactful piece of this is that the language for opting in must be (freely given, specific, informed and unambiguous).  No more easy opt-in and difficult opt-out.
  • Mandatory 72 Breach Notification:  Organizations will have 72 hours to report to authorities any breach that is detected.  Furthermore, if password hashes are suspected to be compromised, the organization must contact the specific data subject  (person).
  • Fines: Fines for non-compliance can be as high as 20 million Euro or 4% of a company’s revenues.

Why are we telling our clients about this?  Because, it is our belief that we will soon see some derivative of this regulation in the US.  The recent debacles at Twitter and Facebook will likely speed this up. Also, remember EMV credit card readers??  That standard started in the EU well before it became a standard in the US.