A new law is coming to Europe—and it might affect you. It’s called the General Data Protection Regulation, or GDPR. The European Union (EU) Parliament discussed the GDPR for four years before approving it in April 2016. It goes into effect on May 25, 2018.

Here’s what you need to know about it.

What’s it about? In the world we live in, people give their data away for free all the time to companies like Facebook and Amazon in exchange for specific services, says IT Pro. But what if you don’t want a company to have your data anymore, or what if there’s a data breach? That’s where the GDPR steps in. The GDPR aims to protect people’s privacy.

The GDPR is not optional guidance or a list of suggestions. It’s a law in the European Union. “By making data protection law identical throughout member states, the EU believes this will collectively save companies 2.3 billion euros annually,” says IT Pro.

Though not an American law, it will still affect American companies. Because the GDPR protects EU citizens’ data, no matter where that data is, American companies who deal with data of EU citizens need to comply with the GDPR. If you contract out to another company, you’re responsible for making sure that company complies.

Do I have to comply? If you don’t, you could face “unprecedentedly steep fines of up to 4 percent of [your] total global revenue,” warns MarTech Today.

No matter how small or large you are, this affects you. If you currently deal with EU consumers or clients, you need to stop that entirely or do everything you can to be compliant. You may also need to assign a Data Protection Officer (DPO). This person would oversee data, keep records, and ensure compliance.

What do I do with data? MarTech Today explains, “A company must not only handle consumer data carefully but also provide consumers with myriad ways to control, monitor, check and, if desired, delete any information about them.”

Interviewing a candidate from the EU? Make it very clear what information you need from them. Get their permission to use every piece of data they give you. And if the candidate moves on and asks you to erase their data from your system permanently, do it.

What kind of personal data does the GDPR govern? Basically, anything that could identify someone. The eugdpr.org site gives a list:

  • Names
  • Photos
  • Email addresses
  • Bank details
  • Social networking posts
  • Medical information
  • Computer IP addresses

So that’s what the GDPR is. Don’t get caught unawares. Come back for the next post on what you can do to get ready. And don’t forget, ASJ is here to answer your questions about marketing and to help you grow your company in an increasingly complicated world.