Some of you may wonder, what is GDPR and does it affect my company? Hopefully, this blog post will provide some guidance and clarity on what to do and expect from GDPR if your company does business in EU.
GDPR stands for General Data Protection Regulation and it was created to regulate the European Union law on data protection and privacy for all individuals living in the 28 nations of the European Union. GDPR also addresses the exportation of personal data by companies outside the EU.
After May 25th, many major U.S.-based news sites, like The Los Angeles Times, The Dallas Morning News and the Chicago Tribune, started blocking visitors from EU countries.
“Our site is unavailable to European Union visitors while we work with our partners to ensure your data is protected,” reads a message on The Dallas Morning News site.
Why did this happen? Because they were not GDPR compliant when the regulation came into force. If a website is visited by someone from EU, GDPR requires businesses to seek site visitors’ consent to collect personal data from them that could be used, in the case of publishers and marketers, for ad targeting.
As already mentioned, GDPR protects personal data not only in the EU but also exportation of data outside the EU, which means that any U.S. company that has a Web or office presence and markets their products in EU has some homework to do. Here is how it works for any company outside the EU. GDPR only protects the data that was directly exported from the EU territory. Since GDPR doesn’t apply to an individual person but rather a territory, and if an EU citizen travels to the U.S. and his or her data gets captured, the company has no obligation to follow the GDPR rules and regulations. However, if the same person’s data gets captured while he or she is within EU territory, the company capturing the user’s information must follow the GDPR law.
Targeted Marketing And The Web
Many companies who do not have a physical presence in the EU, collect most of the personal data belonging to EU customers over the Web using ads and other marketing tools. Not all Web pages are subject to GDPR rules and regulations. GDRP doesn’t apply to generic marketing. For example, if an EU user visits a website that is written in English and the page is directed for U.S. customers, that webpage doesn’t fall under GDPR. On the other hand, if the EU user from Poland searches for the webpage and the content is written in Polish and mentions EU companies and customers, then GDPR will apply.
Some companies that would likely fall under GDRP in the U.S. are:
- Hospitality who have hotels/resorts all over the world including U.S. and EU.
- Travel companies who promote different travel destinations.
- Software services companies who offer service and support to users in EU.
- E-commerce companies who conduct transactions in the EU over the Web.
While the focus on GDPR is on Europe, some companies have declared that they will offer the same privacy protections to all customers — no matter where you live. Nevertheless, any U.S.-based company with data stored overseas and/or European operations needs to take special notice of GDPR-required actions.
Consent, Breach Notification, And Fines
To be compliant with the GDPR rules and regulations, U.S. companies will have to modify their website forms and any interactions with the online customers to obtain explicit consumer consent. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
In other words, if the U.S.-based company wants to collect email addresses from the customers in Germany for downloading any documents or signing up for a newsletter, the company must spell out what the purpose of this “email collection” is and how the company is planning to use this information. Based on GDPR rules and regulations, it is not allowed to ask the user to click on any links that will redirect the user to another page. All the information must be visible and clear on the same page for the user to accept or decline.
U.S. employers should have a training and compliance plan in place to prepare for implementation of the GDPR, which requires training in handling personal data. The EU’s website is a handy resource to start. GDPR compliance effects all levels of organizations which handle private information. GDPR is tough and the punishment for non-compliance is harsh. For example, for not reporting a breach to a regulator within 72 hours, a breach of record-keeping obligations incurs a fine up to 10 million Euro or 2 percent of annual global turnover of the previous year, whichever is higher. Infringing people’s data rights or any sort of unlawful transfers of data out of the EU results in a fine of up to 20 million euros or 4 percent of the global income of the previous year, whichever is higher.
Long story short, if your company is a U.S. company, especially with a strong Web presence in the EU, you should be paying attention to GDPR rules and regulations and the IT departments should start changing practices now and not waiting to become a headline two years down the road.