GENERAL DATA PROTECTION REGULATION COMPLIANCE: DOESN'T APPLY TO YOUR ONLINE BUSINESS? NOT SO FAST.
If you do any business or provide services to customers on the Internet, May 25, 2018 is an important day. That Friday is the deadline for companies to implement and comply with the European Union’s General Data Protection Regulation (GDPR) that governs the collection and use of personal identifiable information. Personal identifiable information includes any data that can be used to identify a specific individual or to distinguish one person from another. Such data includes, but is not limited to, names, addresses, telephone numbers, email addresses, birthdays, social security numbers, credit card numbers, login names, profile photos and images, demographic information and even IP addresses.The GDPR governs what companies must do to receive, maintain and protect personal identifiable information that they request, receive and collect from their customers on the Internet. The new law has very significant fines and penalties for non-compliance.
Do you think that the GDPR does not apply to you because you are a company in the US?
Not so fast. Even if your business is outside of the European Economic Area (another name for the geographic areas occupied by member nations of the EU), GDPR regulations will probably affect your business. It definitely will apply if your company collects or stores any data from any customer or person who sends that information (whether knowingly or unknowingly) from within any nation that is member of the EU. Furthermore, all business, even small businesses, are subject to GDPR enforcement and regulation and so this is not something that your company should ignore or overlook.The new law clearly applies to electronic and digital data collected through the Internet – so this means that e-commerce platforms, social networks, business websites and other platforms used for cloud computing that exchange and store data from its visitors are definitely subject to the new regulations. Because e-commerce and the Internet are basically borderless, companies may find out that they are subject to GDPR requirements without knowing it, and so all companies who do business on the Internet are well-advised to comply with the new laws in order to avoid any serious surprises and consequences.The following countries are currently part of the EU and any information your business collects (whether knowingly or unknowingly) from persons in these countries is governed under the GDPR: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (Until March 29, 2019).As a business owner or company with an online business presence, you will need to understand and assess what kinds of data your company collects and controls. The GDPR requires that you receive specific and express consent to collect and process someone’s information and requires you to keep only the minimum amount of data required for the purposes for which it is used. Your company is also responsible for third-parties who manage and process the data you collect, so mere finger-pointing when something goes wrong will not suffice.The penalty for technical noncompliance is the “greater” of either €10,000,000 (currently $11,852,905 US) or 2% of your company’s global revenues. The penalty for more serious noncompliance, namely violations of certain key provisions of the GDPR, is the “greater” of either €20,000,000 or 4% of your company’s global revenues. Obviously then, compliance with the GDPR may make the difference between your company's solvency and insolvency.The task of complying with the GDPR is daunting but effective safeguards should be fairly easy to implement. A starting point to evaluate your company’s risk is to examine the following:
What kinds of data do you have, where is it stored, and how secure is that information from possible hackers or thieves? (The GDPR is particularly sensitive to the collection of children’s data.)
Where does the data come from, and how are input into your company’s system?
What kinds of security protocols does your company use to prevent data breaches and are the procedures clear and effective?
Do you have someone in the company who is specifically dedicated to oversee privacy and security protocols?
Small businesses (companies with fewer than 10 employees and annual revenues of €2,000,000, or about $2.5 Million US) are exempt from certain portions of the new regulations. However, the GDPR does not decrease the penalties and fines for small businesses that violate or ignore the requirements. Therefore, even small businesses must be careful to remove private data if there is no valid business justification or purpose for retaining such information and to comply with all applicable provisions of the GDPR.Even if the GDPR absolutely, certainly and undeniably does not apply to your company (which is increasingly unlikely in today’s global and technological world), data security and records handling is still obviously an important part of your business that cannot be ignored. At a minimum, we suggest that you consider implementing at the least the following when asking customers and visitors for their personal information:
Be specific and concise about the kind of information that you are asking from your customers and visitors and make sure that they consent to each category of information.
Keep your consent requests separate from other terms and conditions governing your customers and visitors’ use of your website and services.
Use Opt-Ins that require customers and visitors to actively give their consent; do not assume permission merely because they choose to continue to use your website and services
Identify, when available, any third parties who will rely on the consent
Make it easy for individuals to withdraw their consent at any time and provide a clear way for them to do it
Remove personal data of anyone from your system whenever they request (except for minimal record keeping items for law-enforcement and court-related purposes)
Create and maintain a record of consents that you from your customers and visitors (i.e., who, when, how)
Examine your consent practices and existing records routinely.
The bottom line is that trust and engagement is what keeps companies running and profitable. How you handle other people's information is an integral part of that experience and has a significant effect on your company’s reputation. We highly recommend that you contact a company that specializes in GDPR technical compliance and correspondingly update your company’s website privacy policies and terms of use to reflect that you are complying with GDPR requirements.