The General Data Protection Regulation requires your action
The European Union’s new fangled General Data Protection Regulation (GDPR) becomes enforceable on May 25th. It’s a well-intentioned document, but like anything else that is written by politicians at a big government level—it’s fairly ham-fisted in many areas.
Part of the problem is that it requires you to have a knowledge of previous European legal frameworks like the ePrivacy directive, in addition to knowing some European case law. For American businesses navigating this can be tricky. Especially when you factor in that European legalese is much different than the legal writing in this country. It’s written like you need to be wearing a powdered wig to make complete sense of it. It can all be a bit jarring. It can also be lethal if you’re a small company and you run afoul of the GDPR.
Penalties for violations start at 10-million euros or 2% of your total revenue—whatever’s bigger. More egregious issues will be met with fines of 20-million euros or 4% of total revenue.
If Facebook had its Cambridge Analytica after May 25th, in Europe, it would be looking at a fine worth more than 7 billion dollars.
Those are pretty high stakes. And as you’re about to find out, compliance with the GDPR isn’t just an issue for European businesses. US businesses might be in for some trouble, too.
Here are five things US businesses need to do before May 25.
1 – Figure out whether you need to be GDPR compliant
This sounds dumb, but it’s really not. In my experience, one of the biggest reasons for non-compliance is simple ignorance. The violations occurred because the party in question had no idea they needed to comply with something in the first place. This is especially true for smaller businesses, which is made even more dangerous by the penalties that can be levied. For small businesses, the GDPR can present existential crises. One fine and you’re down for the count.
The misnomer is that only businesses in Europe need to comply with the GDPR. That is patently false. Someone said that to me the other day, actually. “But Carl, we don’t need to do anything for GDPR because we’re not in Europe. I learned real close to him, maybe an inch from his face and snarled at him, “I’ll get you. And it will look like an accident.”
Anyway, if you do any business in Europe, you need to be GDPR compliant. Now, what might you ask does, “doing business” entail? That’s a question that’s still being debated. It’s written a bit vaguely. But for our purposes, if you market products in Europe, accept European currencies or have any sort of physical presence in the European Economic Area, you are doing business in Europe.
Now, if you’re a dentist in Memphis or you run a company that rents out those inflatable bouncy houses in the suburbs of Toledo you probably don’t need to be GDPR compliant. But if your company or organization make any attempt to market or sell in the EEA, you need to comply.
2 – Know your role
Once you’ve decided whether or not you need to comply with the GDPR (and assuming you do, as you probably would’ve stopped reading by now otherwise) it’s time to figure out the role you’re serving in the data ecosystem. There are three basic roles:
- Data Subject – The individual who’s data is being collected
- Data Processor – The party that is processing data on behalf of someone else
- Data Controller – The party that controls the personal data and determines what it’s processed for
Now, there’s a very simple litmus test for whether you’re a processor or a controller: do you store the information on your servers? If you do, you’re a controller. If you just process what someone else sends you and store nothing, then you’re a processor. Remember controllers can process. But processors don’t control.
It’s extremely important that you figure out your role. And that you’re correct about it, too. You don’t want to find out the hard way that you’ve been mischaracterizing yourself. There’s nothing worse than getting knee-capped because you complied with the wrong set of rules.
3 – Map everything
This is actually a lot easier than it sounds… for most people. If your web presence is a hydra with various public-facing domains and massive digital infrastructure, this could be a challenge. But you should have the resources.
SMBs should have no problem though. Here’s how you do it:
- Crawl your website looking for every single touchpoint that collects personal data.
- Identify what information is being collected at those touchpoints
- Identify what the information you’re collecting is being used for in each instance
- Figure out where you’re storing this information
- Figure out what a customer would need to do to modify or delete it
Now, and here’s the most important part, write that stuff down. Document everything. It’s crucial that you know exactly what is being collected and where. As well as why. This is also a good time to identify any superfluous data that you’re collecting and stop. Because the GDPR is pretty clear about only taking what is needed, and not hanging on to it for too long afterward. I realize that sounds like something Pocahontas would have said to John Smith but it’s still good advice.
4 – Figure out your Legal Bases for processing
There are six justifiable legal bases for processing information under the GDPR, though it’s clear from a lot of the guidance and from the document itself that the GDPR favors consent over the other five. The conditions for obtaining consent are rigidly defined and extremely, well, rigid. Consent must be freely given, the data subject must be well-informed and given an obvious choice to opt out. You can’t opt someone in by having a box checked by default. And for emails, you need a double opt-in. Additionally, the data subject maintains certain rights over the information when consent is used as the legal basis for processing. Consent also expires. The GDPR isn’t explicit about its shelf life, but you’re ideally supposed to re-engage and re-permission at regular intervals.
That makes marketers sad.
Fortunately, there are ways to get around using consent as your legal basis. For instance, if you’re running an e-commerce website, you can claim legitimate interests as your basis for processing some data, specifically for the purposes of cart abandonment and email marketing. Additionally, many organizations are processing information as part of the terms of a contract. That’s a justifiable legal basis, too. Before you charge headfirst into using consent as your legal basis, explore the other five to see if one of those might work better.
5 – Get EU-US Privacy Shield certified
The GDPR bans cross-border data transfers except into jurisdictions that provide “adequate” data protection. In this case, we’re not referring to technical safeguards, but rather legal ones. Unfortunately, the United States has not been deemed adequate.
So instead, what you’ll need to do is get EU-US Privacy Shield certified. Basically, you need to perform a self-assessment similar to the one we discussed earlier. You need to lay out what data you’re collecting and what you’re doing with it, then you need to agree to follow the principles laid forth in the EU-US Privacy Shield framework. Finally, you’ll have to get a corporate officer to sign it, pay some fees (depending on your size and revenue, upwards of several thousand dollars) and submit your self-certification to the Department of Commerce. You have to re-certify every year, too, and once you commit to the Privacy Shield policy, the FTC or the Department of Transportation, whoever oversees you, can legally fine and penalize you for non-compliance.
If you think #5 sucks, you’re not alone. And while I like to avoid politics like the plague, this is all Donald Trump’s fault. That’s not hyperbole, it’s a factual statement. You see it was President Trump, who ran on an anti-immigration platform, that signed an executive order his first week in office that tried to crack down on Sanctuary Cities. Keep in mind, this executive order was meant to target Hispanics (and probably Muslims, too). It included a line that said:
Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Basically, that meant that the digital privacy rights afforded to American citizens do not extend to non-citizens. Foreigners have no right to digital privacy in the US. As the European Commission was quick to point out, a point which the Trump administration clearly missed, that this executive order also strips digital privacy rights from Europeans. Thus the US does not afford “adequate” data protection for EU companies to comfortably transfer data into its borders. Congress has attempted to rectify this situation by passing the US Judicial Redress Act, which once against extends the benefits of the US Privacy Act to Europeans. That’s kind of racist when you think about it, but let’s not. Instead, just remember who to thank when you have to pony up a few grand each year just so you can continue business as usual with your European partners.
I hope this helps you out, and as always leave any comments or questions below.
Stay cautious, my friends