The European Union’s General Data Protection Regulation (GDPR) became effective in May. It’s one of the biggest changes to European data security in the past two decades.

It certainly will have impact on business websites and e-commerce – even those in the United States.

GDPR is designed to give those living in the European Union more control over their personal data as well as ensure that their information is stored safely across Europe. It applies to any company that sells to or stores personal information about citizens in Europe – including companies on other continents.

GDPR Provisions

The new law gives citizens in Europe new rights and control over how their information is used when collected by companies. They include the following.

Right to be forgotten. Consumers can withdraw their consent from companies that have collected their information and have the right to get that information deleted at any time.

Right to access. European residents have the right to get access to their personal data stored at a business and find out, in detail, how their information is being used. Companies must provide this information free of charge.

Right to be informed. Citizens must give their permission explicitly if they are willing to allow companies to gather data on them. They must also be told exactly what data is being gathered and stored.

European residents also can ask for their data not to be used for direct marketing of any kind. The law also requires that companies notify consumers within 72 hours after a data breach has occurred. In the past, and especially in the United States, this has taken months and even years to happen.

Business Impact

Clearly, there’s a lot to take in on this topic.

For example, according to Forbes, a business would have to target a data subject in an EU country before coming under the law. Someone living in Paris who stumbles across your business site is not covered under the GDPR.

However, sites that use the language of a country, make references to the EU and openly solicit EU customers would fall under the law.

The GDPR is expected to have the biggest impact on U.S.-based business in the following fields: hospitality, travel, software services and e-commerce. However, any business that gets customers from the EU should carefully review their data policies to ensure they meet GDPR standards.

It’s important to determine if your business falls under the GDPR and if you are compliant. Penalties for violating the GDPR can reach 4 percent of revenue or 20 million euros, whichever is higher.

About half of companies in the U.S. and Europe are not yet GDPR compliant.