Enter the GDPR
The General Data Protection Regulation (GDPR) is a new law coming out of the European Union that will provide better protection of individual’s personal information through the implementation of some strict requirements for companies that possesses personal data of people living in the EU.
The GDPR will take effect on May 25, 2018, and the penalties for non-compliance are steep. The maximum fine is €20 million. I’m not a mathematician but that is quite a lot.
This regulation has been in the headlines for a while now, so hopefully, most big businesses and multi-national corporations are more than compliant at this point, because May 25th is fast approaching. But what about the US-based companies that aren’t directly connected to any one of the 28 member states of the EU? Don’t think you have to worry?
If your company has a web presence at all and markets your products or services over the internet you are going to want to look into this a bit more.
What are we talking about here? When would this apply?
No financial transaction needs to take place in order for the GDPR to apply. If personal information or data of an EU resident (not necessarily a citizen) is collected or processed by a US-based business then the GDPR will apply.
Personal data or personally identifiable information as we call it here in the States is any type of information that could be used to identify someone. This can be direct information like email addresses, or indirect information like cookies and location data.
There are some slight nuances to this in that it seems like you won’t fall under the GDPR strict requirements if you’re not directly marketing to EU residents. For example, if someone in Denmark Googles a term and comes across your coaching businesses website that is written in English, primarily directed at US consumers then you are likely not going to need to worry about the GDPR. However, if your site is marketed to consumers all across the globe, ie offers various language settings, targets ads outside of the US, take costumers out of the US, uses testimonials or references their EU client base, then the GDPR is going to apply to you. And to get as techy as I can, if your business accepts any currency of an EU state, and can be reached from another country in that country domain suffix then you will certainly fall under this regulation.
If your business has found a great market in an EU country and has localized content, then you will want to review how your website is operating.
How to get compliant if you need to
The main point to remember is that you are going to need to get explicit consumer consent before taking any personal data from a user. The GDPR states this consent must be “freely given, specific, informed, and unambiguous.”
For example, let’s say your business collects email addresses for mailing lists, promotions, and general customer research. If you are collecting emails of EU residents you need to have a checkbox that allows the person to decide yes or no on giving their email, paired with an easy to understand explanation of what you will do with that address. No legalese and no sending them off to some other screen full of terms and conditions to read through that are so long they just say yes because no one has time for that.
The process gets a bit hazier if you sell products or services. You will need to obtain permission for each type of processing done on the personal data, and you need to make sure any third parties you are working with (PayPal, Stripe etc.) are compliant as well. If you’re sharing personal information with any third parties, the consumer must be able to consent to each party receiving your information.
There’s just a little bit more…
You are also responsible for the protection of any data that you collect, and you must protect it in accordance with the GDPR rules. If you already follow existing data security standards, you should be fine. But then again, Facebook…so…make sure you’re up to speed on that.
If there is a data breach whether accidental or unlawful and the disclosure of personal data is the result, if any EU resident’s data is affected, either the EU regulator or the resident themselves must be notified within 72 hours. The type of data released will determine who must be notified.
Better safe than sorry
Have more questions? Shoot me an email at Shannon@montgomerypllc.com and we can talk about it!
Please note that this is not meant to be legal advice for you or your situation, this is merely some legal research and knowledge on the given topic.