The European Union’s General Data Protection Regulation (GDPR) enforcement rolls out this May. For many US based businesses with a web presence private user data is stored and processed. Sometimes these users are EU citizens. This blog post will attempt to shed some light on the possible issues and provide resources to further think about your GDPR compliance.
What is GDPR?
If you feel inclined to read it, the full text of GDPR can be read here. Forewarning though: there are 99 sections, 260 pages, and 173 recitals you will need to work through. Or for the highlight reel, here is a gist of what this regulation covers. GDPR updates a 1995 directive to protect EU citizens’ digital rights to reflect the even more complex, data-intensive reality we all live in today. GDPR outlines the roles companies play in their interactions with EU persons (Controllers, Processors, and Sub-Processors), makes clear its authority stretches beyond the EU in protecting citizens rights, articulates those rights, and establishes serious fines for infringements (up to 4% of global turnover or 20 million euro).
Why Does it Matter?
Do you have EU citizens who place orders on your site? Do you process any data of EU citizens in your application? If your site or app offers goods or services to EU citizens, the GDPR applies to the processing of personal data of data subjects in the EU regardless if your company is established in an EU nation or not. Personal data corresponds to anything that can be used to directly or indirectly identify a person. So if your site handles a customer’s name, address, photo, email address, etc and some of the customers live in the EU - GDPR should be on your radar.
How are Companies Categorized?
Companies are categorized in GDPR into three types: Controllers, Processors, and Sub-Processors. A controller is a company that decides how and why the personal data is processed. A processor is a company which does the actual processing of personal data. A subprocessor is a company which has been used for processing. Part of GDPR compliance is understanding how your company is categorized (often, companies do both controlling and processing) and what processing you are using third parties for. GDPR compliance involves ensuring those third parties are responsible in their handling of the data you share with them.
What Rights Does it Cover?
Users have a right to be notified within 72 hours of a breach.
Right To Access
Users have a right to know what of their information is being processed, and how is it being used.
Right to Be Forgotten
A user has the right to have their information completely erased from your site/application.
Users also have a right to an electronic version of their personal data your company keeps free of charge.
Privacy By Design
Controllers are responsible to only hold and process the data absolutely necessary for the completion of its duties. There should be an effort to limit the access to personal data to processors and sub-processors to only that which is required to do the needed processing.
What About Me?
For starters, if your business conducts serious business in the EU and regularly interacts with EU citizens, you need to have a conversation with an attorney specializing in GDPR and data protection to advise you in your risk exposure and outline what your organization will need to do to ensure compliance. Large enough companies even have to hire a Data Protection Officer whose sole role within the IT department will be to ensure compliance.
For the rest of us, GDPR shouldn’t be seen as a substantial business risk in the near future. It’s not clear what will happen to US-based businesses until the first case for violating rules is brought against one from an EU citizen. In the meantime, there are some steps you can take to be prepared for the rare user/customer or two from Europe your site or application may get (think of it as proactive due diligence). Start by reviewing all of the ways you’re collecting user data, including third-party tools. Many of the most popular tools used by marketers - Google Analytics, MailChimp, etc. are taking steps to ensure customers like you are in compliance when using their platforms (not to mention being in compliance themselves as companies). From this review, document what was reviewed and confirmation that it is, or will be, in compliance.
GDPR is also an opportunity to establish solid practices in ensuring data privacy. In a business environment where users are becoming more and more cognizant of security breaches, algorithm-driven recommendations, and personal data harvesting, doing what you can to be clear what information you gather, how you use it, and practicing Privacy by Design should be recognized by customers as part of your value proposition.