Companies that work across international boundaries have to educate themselves about local customs, business practices, and legal climates. For U.S. businesses working in the European Union, that includes understanding the EU’s much more stringent privacy regulations. Here’s a quick rundown of what you need to know.

What Is the GDPR?

The General Data Protection Regulation, or GDPR, was adopted by the European Parliament in 2016 and will come into full force throughout Europe in May 2018. The legislation was assembled to address the public’s concerns about data privacy and other risks associated with online activity. The GDPR increased data protection beyond what the previous laws offered and clarified consumer rights with regard to data.

The law states outright that protecting a person’s sovereignty over their personal data is a fundamental right, and the serious penalties allowed for enforcement make it clear that this right is taken seriously. If you will be doing business in the EU and collecting personal data from EU residents, it is vital to educate yourself about the GDPR.

What are the rules under GDPR?

The GDPR is a complex collection of regulations. A few of its major provisions include:

  • Violators pay increased fines.
  • Users must give clear, unambiguous consent for you to use their data, and you must only use it for the purpose defined.
  • Any breach must be reported within 72 hours, and users must be informed promptly.
  • Anyone who collects data on EU residents has to conform, no matter where they’re based.
  • Users have the right to demand that their data be removed; for instance, if a user closes an account with a company, that company must delete all the information it has collected about that individual.
  • Transferring data outside the EU is allowed, but you are still responsible if EU resident data is lost outside the EU.
  • Users can work together to sue using class action lawsuits.
  • EU residents have the right to require companies to correct outdated or incorrect information.
  • The age of data consent is raised from 13 to 16.

Does the GDPR apply to American companies?

Any U.S. company that transfers, collects, processes, hosts, or shares data within the EU needs to abide by the new rules. The data controller and the processor will share liability, so companies that handle data are expected to comply with the GDPR regardless of their function or role.

What are the consequences for violating the GDPR?

The GDPR is armed with significant increases in sanctions over previous European data protection laws. Any organization or individual that collects data on EU citizens must comply with the GPDR, which will be enforced evenly across the European Union. The new maximum fine is €20 million or 4 percent of an organization’s global turnover, whichever is higher.

The provisions of the GDPR are far-reaching and complex, and the penalties for violating them will be severe. With only a year to go before the laws are in full force, companies that work with European data need to be updating their systems now to meet the new provisions in time.