By: Alana Goycochea
Even American companies that have a website need to comply with the EU’s GDPR laws. The General Data Protection Regulation (GDPR) is the European Union’s new data protection regulation. The GDPR went into effect in May 2018. The regulation aims to give consumers control over their personal data. American entrepreneurs are probably wondering what an EU regulation has to do with them if their business is located in the US. They have nothing to worry about, right?
Not true.
The GDPR has an expansive scope, with strict compliance standards, and significant penalties for noncompliance.
Who does the GDPR Apply to?
The GDPR applies to any company that has a website that markets their products online. You are subject to the GDPR even if you are located in Pennsylvania and regardless of if you ever sell a product to someone in the EU. As soon as you collect personal data of an individual that lives in the EU, you are subject to the stringent requirements of the GDPR.
What is “personal data”?
Personal data is any information relating to a person, including the person’s name, email address, photo, banking information, cookie ID, social media information, and even an IP address.
How to Comply With GDPR?
To comply with the requirements of GDPR, your business must consider what data it needs from customers, obtain affirmative consent for that data collection, update the company website, respect the rights of consumers that want to be forgotten, and inform customers of any data breaches.
a. How to Determine What Data to Collect?
The determination of what data to collect is extremely company specific. First, figure out how you will use any data collected before deciding what data you should collect. As part of formulating a data strategy, you should create a company policy for data disposal. Under the GDPR, it is unlawful to keep data for an infinite time frame. Your policy must consider the useful lifetime of the data and weigh that against the consumer’s need for data protection.
b. How to Obtain Affirmative Consent?
Providing your site’s privacy policy is not enough. EU consumers must affirmatively consent to your data collection. Amongst other requirements, you must inform EU consumers of who your company is, why your company needs their data, the legal justification for processing their data, how long the data will be kept, who can and will receive their data, as well as an explanation of their legal rights regarding the data. After informing the consumer of these required disclosures, you must have them consent to this collection.
c. How to Update the Company Website?
The UK has recently also passed a Cookie Law, requiring websites to inform consumers regarding any cookies on your site and how to opt out or change their cookie settings. Your cookie policy should also explain what cookies are active on your site, what data they track, and what the purpose is of the data collected.
d. How to Respect the Right to Erasure?
If you have been following the headlines, you may have seen some articles about a right to be forgotten. When the GDPR was adopted, the phrase changed to the right to erasure. Essentially, EU consumers have a right to opt out of data collection at any time. Your company must respect these requests and delete the data off the system. Remember to stop using the data for any other company purpose.
e. How to Inform Consumers of a Data Breach?
The best practice is to notify impacted consumers via email or mail with a description of the nature of the data breach, the likely consequences of the breach, the contact information for the company’s Data Protection Officer or other contact person, and information regarding how the company plans to address the breach.
What is the penalty for not complying?
If a company has infringed on the GDPR, it could face a temporary or definitive ban on processing data. In addition, a fine could be assessed up to €20 million (approximately 22.7 million US dollars) or 4% of the company’s total annual worldwide turnover. If a company has likely infringed on the GDPR, a warning may be issued.
Lasting Impact of GDPR on American Companies
Many international companies have adopted the privacy standards established by the GDPR. As a result, some have labeled this as the “Brussels effect,” a phenomenon in which European regulations become a global baseline. This impact has led to much speculation that American legislators will pass similar legislation. At the time of this blog post, the US federal government is yet to pass similar legislation, however, California recently passed a bill similar to the GDPR. Companies should be mindful that more states may pass privacy bills in the future. While some companies have circumvented the GDPR by blocking all EU traffic from their site, all companies should consider creating a data policy.
*This post was authored on November 11, 2018.
Alana Goycochea, at the time of this post, is a second year law student at Penn State’s Dickinson Law. She is from Southern California and is interested in entrepreneurship law. Alana is currently serving as President of the Women’s Law Caucus.
Sources:
Photo servers: https://pxhere.com/en/photo/1241325
Photo GDPR: https://pxhere.com/en/photo/1435307
Photo Keyboard & Gavel: https://www.maxpixel.net/Privacy-Policy-Keyboard-Sure-Security-Secure-510739
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
https://www.codeinwp.com/blog/gdpr-compliance/
https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/
https://www.techradar.com/news/how-to-make-a-website-gdpr-compliant