Kelly DeMarchis Bastide was quoted on March 19, 2018, in CEO Update in an article about the upcoming European Union regulation known as the General Data Protection Regulation (GDPR), which takes effect May 25, 2018, and creates tough new mandates for how business and nonprofit organizations store and handle personal data. The rule is expected to expand the scope of the EU's data privacy and breach notification requirements.
There is little comparable in U.S. law, although other countries outside the EU have adopted data privacy regulatory requirements closer to that of Europe, which is why cybersecurity experts say it is good for any organization to review the policies and procedures in place for securing data about members or customers.
"One of the major changes with the GDPR is it is explicitly extraterritorial and it will reach organizations that don't have offices or employees in Europe," said Ms. Bastide. "If they offer their goods and services to EU individuals, there has been a little bit of puzzlement in how that applies."
Bastide said that EU regulators are expected to release further guidance about applicability of the regulation to organizations outside Europe, but in general an association would have to engage actively in purposeful training or marketing for EU citizens for the GDPR to kick in. "A really common misconception I see is this is just an IT issues. ... It's not that simple and that's not actually asking the right question," she said.