How will GDPR affect my business?
If you haven’t heard of GDPR, it stands for General Data Protection Regulation which launched in the European Union (EU) in 1995 and goes into full force on May 25, 2018. GDPR requires global organizations to control, process and protect personal data of EU visitors.
To whom does this apply?
All public and private organizations that handle, store or process personal data of EU citizens. It also applies to non-EU companies if they process personal data of individuals in the EU.
What is personal data?
Personal Data is any information related to a person such as a name, photo, email address, bank details, updates on social networking websites, location details, medical information, gender, biometrics, or a computer IP address.
Will my U.S. company, that doesn’t have a physical presence in any of the 28-member states of the EU, need to comply?
The answer is Yes and No.
If someone is in the EU and visits your website, a cookie is collected. If consumers from the EU visit your website and complete any type of form, survey or make a purchase, you have collected information which should be protected.
People search the web for all types of information. For example, if a user in Germany Googles a topic and finds your web page in English-language, written for U.S. consumers (B2C or B2B customers), would not be covered by GDPR because your website is most likely considered a generic marketing tool.
But, if you had a German-version of your website, then it would be considered targeted marketing and you must comply with GDPR. That includes having a translation tool on your website that includes the language of the EU visitor.
If you accept the currency of an EU member or you have a domain suffix such as .fr (France) you must comply.
U.S. Companies most likely to fall under GDPR’s reach include: travel, hospitality, e-commerce, financial, medical, and software services. These types of businesses should pay close attention to their online marketing, data collection and protection. And any U.S. company who has identified a market in an EU country and has localized Web content should review their web presence/operations and data management procedures.
Third-Party Compliance with GDPR
What does this mean? If you use marketing and sales tools such as HubSpot, SalesForce, Mail Chimp, Constant Contact, a web hosting platform where data is collected and used for sales and marketing, vendors, and distributors in the EU and EEA (European Economic Area) they would be considered as third-parties. You will need to confirm with them that they are in compliance with GDPR and have tools in place to retrieve, pseudonymize, and delete your user data from their servers.
BYOD & Working Remotely
If you have employees or support services that work off-site and use their own equipment, you should confirm that they are following the procedures for protecting data that may be on their devices. If the device is stolen or lost, it should be immediately reported and you should follow established policies and procedures for handling and notifying those whose data might be compromised.
Consent to Use, Data Breach Notification & Fines
U.S. companies that use targeted EU online marketing forms and communications will need consumer consent. For example, if you have a form to be completed for downloading a white paper, your form must include a check box and state what you are doing with the information collected. If the consumer fails to check the box, then the form will not submit if checking the box is required. If someone purchases your service or product, you will need to obtain permission for each type of processing done (i.e. future promotions and shares with third-parties will need a separate check box.)
All data collected, will need protection under GDPR’s rules. For those companies that follow existing data security standards such as PCI, DSS, ISO, 27001, NIST, shouldn’t have a problem.
Business Catalyst web hosting is PCI compliant and they are working on making the platform GDPR compliant. We’ll keep you posted on completion and launch.
There is a GDPR 72-hour breach notification rule that when there is a breach, whether accidental or unlawful destruction, alteration, loss or unauthorized disclosure or access to personal data, requires that you notify those affected within 72-hours of breach awareness.
Because every business is different and the GDPR takes a risk-based approach to data protection, companies should work to assess their own data collection and storage practices (including the ways they use marketing and use of sales tools). If in doubt, you should seek legal advice to ensure your business practices comply with the GDPR, if necessary.
Preparing for Data Protection
Know and document where personal data collected by your business is stored and what you do with the data. You’ll also need to identify who can access it and if there are any risks to the data.
Decide what data you need to keep and remove data that isn’t used.
Do you really need to collect and keep all categories of personal information?
Put security measures in place to guard against data breaches and quickly notify authorities and individuals of a breach.
Make sure that third parties that have access to your data, have security measures in place.
Review that you have policies in place and you are not using pre-checked boxes or only links to privacy policies. You should add check boxes with explanations of how you will handle and protect data collected.
Establish procedures for handling personal data.
How will individuals give legal consent to collect and use data?
What is your process for an individual who requests his data be deleted?
How will you ensure that data deletion is completed on all platforms? (ie. third-parties)
How will you transfer data when requested by an individual?
How will you confirm the identity of the person requesting data transfer?
How will you communicate a data breach?
GDPR Administrative Fines for non-compliance are huge. Get more information.
Make sure your website includes policy statements and update, when appropriate.
This information should not be considered legal advice. We urge you to consult an attorney, familiar with GDPR, if you would like advice on your interpretation of this information or its accuracy and if you should comply. Bottom line is that you should not rely on this web post as legal advice, nor as a recommendation of any particular legal understanding.