Are you GDPR compliant? Any business collecting, controlling or processing personal data - which includes collecting email addresses from customers online - is required to comply with the General Data Protection Regulations that came into force across the EU in 2016 and will apply directly in the UK from 25th May 2018. You could still be caught out and fined even if you think that you do not need to comply if your business is outside the EU. Here’s what you need to know:
Why U.S. and Other Non-European Companies Need to
Comply with GDPR
By Anne Mitchell, Attorney at Law, GDPR Compliance Consultant
As the deadline to comply with GDPR (the EU's General Data Protection Regulation) looms, businesses outside of the EU are confused as to what they need to do to comply, or whether they need to comply at all (they do). In this article GDPR legal compliance expert attorney Anne P. Mitchell explains why companies in the U.S. and other non-European Union countries need to comply with this complex and confusing regulation that goes into effect in May.
You may have heard that the European Union's General Data Protection
Regulation (affectionately known as GDPR) goes into effect on May 25, 2018, but
if you’re like many small to mid-sized businesses you may think it’s nothing to
be concerned about if your business isn’t located in the EU.
Unfortunately, you’re wrong. The pending regulation applies to anyone who does business or collects data from individuals and organizations in the EU. Here’s an overview of what the regulation covers and why you need to be concerned (and comply).
What is the GDPR?
GDPR is an acronym for General Data Protection Regulation. In the simplest terms, the regulation is intended to give individuals in the EU more control of how their personal data is used by businesses and individuals. When it goes into effect, it will apply to the collection, processing, use of, retention and deletion of personal data by companies. It will replace the Data Protection Directive 95/46/EC.
Unfortunately, you’re wrong. The pending regulation applies to anyone who does business or collects data from individuals and organizations in the EU. Here’s an overview of what the regulation covers and why you need to be concerned (and comply).
What is the GDPR?
GDPR is an acronym for General Data Protection Regulation. In the simplest terms, the regulation is intended to give individuals in the EU more control of how their personal data is used by businesses and individuals. When it goes into effect, it will apply to the collection, processing, use of, retention and deletion of personal data by companies. It will replace the Data Protection Directive 95/46/EC.
What kind of personal data falls under
the GDPR?
The GDPR paints the term “personal data” with a very broad stroke. It
considers personal data to be any information related to an individual’s
personal, public or professional life. That includes information such as their
name and address, phone number, email address, financial accounts, medical
information and even their computer IP address.
Why comply with GDPR even if your
company is in the United States or another non-EU Country?
Although the GDPR protects individuals in the EU, it will protect them
from unwanted data usage from any source inside or outside of the
EU. The GDPR specifically states that actions and fines can be leveled
and levied against any business, anywhere, that is found to be in violation of
GDPR. This means that starting on 5/25/18, if your business - regardless of
where you are located - is found to have improperly handled any data that is
covered by GDPR, your business can (and according to GDPR, will) be subject to
legal actions, and fines of up to 20,000,000 EUR (nearly
$28million USD as of the time of the writing of this article) or 4% of
worldwide annual turnover (annual sales after sales taxes and discounts) of
your company, whichever is greater. This is why you should question
anybody who tells you that you don't need to worry about complying with GDPR if
you are in the United States or another non-EU country.
Can the EU enforce GDPR outside of the
EU?
International jurisdiction is a very complicated thing. However,
at base, jurisdictional law requires that the jurisdiction in which the
aggrieved party is located or in which the offending act happened, and the
offending party, have some connection. In other words, generally
speaking, for example, if Mary from Germany was hit by Joe's car while
vacationing in the United States, she would have a very hard time getting
German courts to hear the case - she would almost certainly have to sue in the
U.S. as the incident (her injury) occurred in the U.S. by Joe driving his car
in the U.S.
However, if Mary is sitting in Germany and is defrauded by Joe who (from
in his New York location) takes money from Mary's German bank account (which is
headquartered in Germany, and which has no U.S. branches), you can bet that
Germany is going to have an interest in going after Joe.
Using that example, it's not hard to see how the EU would have an
interest in someone who is violating GDPR, even if that someone is
headquartered outside of the European Union. GDPR and the agencies
charged with enforcing it take breach of data privacy and data handling very
seriously, and if you think about all of the nasty things that can be done with
someone's personal data, who can blame them?
The above doesn't completely answer the question "How are they
going to enforce it?", but it does show that they have both the law, and
the intentions, to do so and, as we tell our clients, our job is to make sure
that you don't end up as a test case. Being a test case is way more expensive,
time consuming, and stress-inducing, than just biting the bullet and getting
GDPR compliant.
Can you avoid GDPR Compliance by
blocking EU visitors from your website?
Many companies think that they can simply avoid the whole thing by only
taking on customers or clients from outside of the EU. They think that
instead of getting compliant, they can just use one method or another to
determine whether someone is "in the Union" and thus whose personal
data falls under the protection of GDPR. Some of the things that these
companies propose are:
· Refusing website or other Internet traffic from (i.e. blocking) anyone
whose IP address is located within the EU
· Putting in their Terms of Service that the user or customer confirms
that they are not in or from the EU
· Asking people at the time of signup where they are from
The problem with these and other such schemes is that they will
fail. The first one - identifying people within the EU and refusing them
access to your site or service based on the geolocation of their IP address -
is actually specifically prohibited by GDPR. GDPR contains a prohibition
against 'profiling', which GDPR defines as "any form of automated
processing of personal data consisting of the use of personal data to evaluate
certain personal aspects relating to a natural person, in particular to analyse
or predict aspects concerning that natural person's performance at work,
economic situation, health, personal preferences, interests, reliability,
behaviour, LOCATION or movements."
And even if it were not prohibited by GDPR, people use VPNs to mask
their actual IP address all the time. So that IP address that looks like
it's in the U.S. or elsewhere could actually be masking someone's EU-based IP
address.
"But Anne," you ask, "GDPR says 'any form of automated
processing', so it's ok if we just ask them or somehow manually get that
information, right?"
No, because this leads us to the other ways that trying to get around
GDPR by excluding anyone from the EU will fail.
First, people lie. Or they simply don't tell the truth. Or
may not even know the exact truth.
Second, as we point out in our article on how and why to comply with GDPR,
GDPR hides the ball about exactly what is meant by "in the Union" and
when you might get in trouble for using data acquired from someone that you
thought wasn’t in the EU during the time of acquisition.
For example, under the language of GDPR, if Joe Smith who is a U.S.
citizen is signing up for your U.S.-based service, or placing an order through
your U.S.-based website - while on an airplane flying over an EU country - by
the language of GDPR, the data that Joe provides to you is covered by GDPR.
It also doesn't clarify whether "in the Union" means
specifically "sitting at a location within the EU boundaries at the time
of data acquisition" or also means anchored in the Union (the EU), such as
where an email address or telephone number is anchored. For example, I
live in Colorado, but my telephone number, which begins with 408, is anchored
in California. If California had a law similar to GDPR, that could be
enough of a hook for California to prosecute a company who has my personal
data, including that California-anchored telephone number, even if that company
is not itself in California.
Also, GDPR has provisions providing for what you must do in the event of
a data breach, and the way it is written, it covers any and all personal data,
even that which you collected prior to GDPR going into effect, if that data is
the personal data of someone "in the Union".
And, because GDPR includes a private right of action, any aggrieved
individual who thinks that they are protected under GDPR can bring an action
against your company if they believe you have not handled their personal data
according to the requirements of GDPR.
How to Comply with GDPR
Below is a brief overview of what you need to do to comply with GDPR. The document containing GDPR and the precatory language explaining it is nearly 100 pages long. The actual regulation itself is nearly 50 pages long. So while this is a brief overview, it's important that your company actually drills down to make sure that you are in compliance. In other words, consult an expert to review what you are doing and to help make sure that you are GDPR compliant.
How to Comply with GDPR
Below is a brief overview of what you need to do to comply with GDPR. The document containing GDPR and the precatory language explaining it is nearly 100 pages long. The actual regulation itself is nearly 50 pages long. So while this is a brief overview, it's important that your company actually drills down to make sure that you are in compliance. In other words, consult an expert to review what you are doing and to help make sure that you are GDPR compliant.
To comply with GDPR you must:
· Gain full informed consent for both the personal data that you are
acquiring, and any use to which you will put it. If you haven't both
disclosed a particular use you intend for that data, and received specific
consent for that use, you cannot use the data for that purpose. Yes, that
means that if you have a great idea for a way to use that data after you have
initially acquired it, you can't do it unless you go back to the person and get
their specific consent for that use.
· For instance, suppose you are using a lead magnet (ie, something you
giveaway for free) to attract people to your website. Under the GDPR, you can’t
add someone to a mailing list just because they accepted your giveaway. You
must not only let them know up front that they will be signing up for your
mailing list when they request your giveaway, but you must obtain, and be able
to prove, that they gave you fully informed consent for you to put their email address
on that mailing list.
· Note that GDPR specifically states that "Silence, pre-ticked boxes
or inactivity should not therefore constitute consent. Consent should cover all
processing activities carried out for the same purpose or purposes. When the
processing has multiple purposes, consent should be given for all of
them."
· Store that data in a highly secure manner.
· Allow the person whose data it is access to that data.
· Make sure that the person whose data it is has a way to readily and
easily remove their data from your possession (i.e. delete it completely), and
make sure that they know how to do it.
· Notify the proper authorities within 72 hours of a data breach.
Also, because there is liability to any business that collects data (for
example, the collection of email addresses) and then gives that data to a data
processor who is not GDPR-compliant (for example an email service provider or
other email marketing service) it is also imperative that you update all of
your third-party contracts with various service providers with language to both
confirm that the service provider is GDPR-compliant, and to provide for
indemnification if that service provider is breached or sued for a violation of
GDPR, because you are on the hook for having given that personal data to a
non-compliant entity. Some third-party service providers will push back
on the indemnification part, but it's your assets on the line if they are sued
and found to have not been GDPR-compliant.
Despite the above, it should now be obvious that it is actually much
simpler to comply with GDPR than to try to get around it.
In fact, we have not run into a company yet who is not already at least
half-way compliant simply by virtue of their current practices.
Plus being able to say on your website that you are GDPR compliant is a
positive thing for people to see, which will give them a sense of security
around doing business with you.
© 2018 Institute for
Social Internet Public Policy
Source: by Anne
Mitchell – Institute for Social Internet Public Policy
Anne P. Mitchell is
the CEO of the Institute for Social Internet Public Policy. In addition
to being one of the first Internet Law and Policy attorneys in the United
States, and one of the only attorney experts on GDPR legal compliance, she is
also the author of the Email Deliverability Handbook, and President of
SuretyMail, providers of email reputation certification. For more
information about GDPR compliance or to contact Ms. Mitchell, please visit www.isipp.com.
You can also gain further information by visiting Paul O’Mahony’s
website and contacting them regarding GDPR training at the link below:
rsmx.rethinksocialmedia.com – http://nextsteps.rethinksocialmedia.com
No comments:
Post a Comment