Does GDPR Matter in the US?
What is it?
General Data Protection Regulation: A new law that will take affect on May 25, 2018 across the European Union, to include anyone worldwide doing business with individuals or companies in the EU.
If you collect personal data from customers, clients and vendors, there are preventive protocols that must be in place within your business in case that data is breached. Data must be “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” Source
Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘Data Subject’)”. Read how the definition of personal data will change.
As well as the changes to the definition of personal data, the GDPR alters or introduces many requirements for processing data. This includes stronger consent requirements, giving data subjects ‘the right to be forgotten’ and requiring some organizations to appoint a data protection officer.
All 28 EU members, plus Iceland, Norway, and Liechtenstein (collectively known as the “European Economic Area”), and likely the United Kingdom, will adopt the regulations.
Does it affect US organizations and companies?
To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification:
- The law only applies if the Data Subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
- A financial transaction doesn’t have to take place for the extended scope of the law to kick in.
- If the organization just collects “personal data” — EU-speak for what we in the US call Personally Identifiable Information (PII) – as part of a marketing survey, then the data would have to be protected GDPR-style.
- US companies without a physical presence in an EU country collect most of the personal data belonging to EU data subjects over the Web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR?
- The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR.
- However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
- Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .NL from the Netherlands — would certainly seal the case.
- Who are likely US candidates to fall under the GDPR’s territorial scope? US-based hospitality, travel, software services and e-commerce companies will certainly have to take a closer look at their online marketing practices.
- Any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.
For U.S. companies, EU-directed online marketing forms and interactions will have to be adjusted to obtain explicit consumer consent. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
A Summary of GDPR
Protocols are intended to:
- Close security vulnerabilities
- Prevent breaches
- Mitigate the risks when prevention fails
- Fine companies that fail to at least make an attempt to follow the law
Steps a business or organization must put in place
- Educate employees: personal data is a precious asset. All members in organization must know how to protect it.
- You must know what kind of data is collected, why it is collected and by whom. Ignorance is not an option.
- Your organization must have a written, established policy
- Of procedures and protocols that limit company employee access to the data you collect
- Of consent standards
- That offers your “Data Subjects” the right and ability to access the data you collect
- That offers your “Data Subjects” the ability to delete their personal data from your database
- Establish clear consent for receiving the personal data. It must be
- Freely given
- Specific to a purpose
- Unambiguous as to why you are collecting it
- You must have data management procedures so that your Data Subject can
- Request to check it for accuracy
- Request an electronic copy of their data such that it can be transferred to another company
- Privacy by Design – your organization must make every effort to secure the data you store
- A Data Protection Impact Assessment – should be a documented part of your organization’s every project going forward
- Procedures for security breaches – your business should have a plan if the ‘unspeakable’ happens, a security breach. The plan should include a notification policy to tell Data Subjects:
- Date of the compromise
- What was compromised
- Status of the vulnerability
- How the Data Subject can get more information
- A breach that “may” pose a risk to individuals must be reported to a GDPR representative within 72 hours and to affected persons without undue delay.
- Organizations are encouraged to designate a Data Protection Officer (DPO) – someone who is qualified by education or experience to manage the GDPR policies
- Your organization will be responsible for performing Data Proficiency Impact Assessments
- Your organization is responsible to know the GDPR policies and risks when using a 3rd party or vendor
Examples on how a US company/organization might need to be GDPR Compliant with their Internet presence
- Forms: in marketing to an EU audience, your form will need a checkbox (without a default “x” in it) along with clear language about that you intend to do with the Data Subject’s information. Giving a text link that directs the user to a long “terms and conditions” document filled with legalese is NOT allowable.
- Email marketing that targets EU countries will require explicit permission for how the personal data will be used (i.e. what type of offers they receive or whether their data will be shared with third-party affiliates. Each different scenario will require a separate opt-in checkbox.) This data will then be necessary to protect under GDPR rules.
- Do not set the checkbox default to checked.
- It must be clear what people are signing up for
- Opt-Out must be clear, free and not require a login
- Where there’s “high risk” to fundamental property and privacy rights — typically, exposure of credit card numbers or account passwords — then the data subjects themselves will also have to be notified.
- Consent may undermine “programmatic campaigns” – better known as targeted advertising. Instead of using personal data to deliver relevant ads, brands can settle for “group data,” which offers less personalization and inherently lower ROI, because the data can’t be precise enough to single out individual consumers. Read more about potentially huge liability here.
- There are still questions about how the EU will enforce these actions against U.S. and other multi-national companies doing business over the Web. However, many companies have already put compliancy in place; i.e. PayPal, WooCommerce, WordPress, ConstantContact, MailChimp, Facebook, Google, to name a few.
Compiled information from many sources, by Candee Gulick, CEO, CeJay Associates, LLC
May 18, 2018
Candee Gulick, founder & Managing Partner of CeJay Associates, LLC, has developed websites since 1999, riding the (sometimes) roller coaster of changes to Internet practices and coding. The information provided in this article is meant to offer a summary of the topic, providing sources from where the content came. Ms. Gulick is not a lawyer! The information herein this article is not to be construed as legal council. If GDPR affects you, please consult your Internet attorney to assess how your business or organization must comply.