Where is GDPR applicable?
The internet notwithstanding, GDPR applies to any organization, wherever located, that uses the personal information of EU residents for “profiling,” or to market products to them, “irrespective of whether a payment of the data subject is required.” If you’re wondering how this affects a small business owner in (for example) Jersey City, NJ, here’s how: Let’s say you own a coffee shop in Jersey City, which is located in close proximity to public transportation hubs. People from all over the world pass by your shop every day, enroute to various tourist attractions, such as the Statue of Liberty. There’s a high probability you are marketing to EU residents, whether you intend to or not. Of course, whether you collect information about them is a separate question.
The European law, called the General Data Protection Regulation, requires companies to collect and store only the minimum amount of user data needed to provide a specific, stated service. That means a flashlight app should not be asking users for access to their photos or contacts.
Does GDPR apply to your business?
Suppose you’re in the minority of businesses that doesn’t have a website, you’re still not off the hook. Do you have a customer rewards program, or email signup list? What about a Yelp! listing, or Facebook page for your shop? Do you accept credit cards? All of these present an opportunity for data to be collected from your customers, and because we don’t yet know how GDPR will be enforced, it’s not yet clear whether these arguably de minimus collections of data create liability for U.S. business owners. Because the fines and penalties for violating GDPR can be staggering — up to $30 million, or 4% of annual worldwide revenues — it’s a good idea to be proactive and make sure your business complies.
And, by the way, GDPR compliance is in addition to the myriad domestic privacy laws and regulations, which are scattered not only throughout the U.S. Code (e.g., Federal Trade Commission Act, Electronic Communications Privacy Act, Health Insurance Portability and Accountability Act, etc.) and individual states’ laws, but also promulgated by various government agencies, which publish their regulations less conspicuously.
How can my business comply with GDPR?
Now that you know there’s a good chance your business should be complying with the EU’s new data privacy regulations, you need to know what changes you need to make to be in compliance.
- Breach Reporting. In the event of a data breach, you are required to report it to the appropriate regulatory agency within 72 hours.
- Consent. You must obtain consent before collecting anyone’s personal data. Further, consent must be “freely given, specific, informed, and unambiguous.” Admittedly this is a high bar, and this is the reason many of the recent GDPR-related emails you received require you to go to a website and click to accept the updated privacy terms. This is something you should at least consider doing for your business.
- Data Protection Officers. Depending on the size of your organization, you could be required to appoint a data protection officer to ensure that proper policies are in place and GDPR is followed.
Some of these are more daunting than others, but there’s no reason to freak out. Make a commitment (today) to adopt these new policies, and if you don’t already have adequate compliance procedures in place, call somebody for help.
The full text of GDPR is available here.
Image courtesy Dennis van der Heijden