The enforcement date for the General Data Protection Regulations (GDPR) is May 25, 2018. These regulations shield the personal data and privacy within the 28 member countries in European Union and affect any U.S. company which "offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location."
The EU is setting a global standard for data protection, data quality, and ownership with the basis being that people own the data collected about them. Fines and penalties are stiff, but May 25th is not "like Y2K" where the clock strikes midnight and fines are sent out. It's an ongoing effort with the expectation that the rights for individuals be respected. These rights include:
This Forbes article by Yaki Faitelson, Co-Founder and CEO of Varonis, is a good clarifier on some of the ways U.S. based businesses will or won't be affected by GDPR. It also identifies several types of interactions with EU citizens which would be affected. These include: "Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply."
But like any other "Big Thing" service firms are popping up all over the place, including vendors selling "certification" and GDPR compliance consultancy. Privacy experts or privacy lawyers could be offering them, but it appears there's a rash of pop-ups. And "certification" isn't a thing yet - at least in the U.K. While this blog post is a year old, nothing appears to have changed. David Froud's blog is an entertaining and clarifying read, and as he says, GDPR is not "an IT problem" but a business one.
So, spend some time reading the GDPR website, look at how data subject consent is to become explicit and unambiguous.