Discussions on privacy laws have taken front and center in recent weeks as European Union (EU) member states begin enforcing the General Data Protection Regulation (“GDPR”) on May 25, 2018. As we have been discussing for a while [1], there is confusion as data collectors try to figure out the impact of this legislation. There is no question that large, multi-national corporations will have to comply and many of these corporations are already in compliance. However, with this deadline just around the corner, smaller companies that do not actively target EU residents are struggling with how this legislation impacts them.
Until all these laws are harmonized, the safest route for smaller companies may be to comply with GDPR, state, federal, local and industry regulations as much as possible. While the GDPR deadline is looming, it is worthwhile for smaller data collectors to consider the following:
GDPR Overview
The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” (A guide to the EU GDPR can be found here [2].)
Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of the location of the data collector. The definition of personal data is broadened to the extent to include any information “that can be used to directly or indirectly identify the person.” Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
GDPR also imposes new obligations on how the data is to be handled and stored. For example, EU residents will have a “right of access” that requires data collectors to provide specific details about how information is processed. GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request. The penalties for non-compliance may total anywhere from 4% of the annual global turnover of the breaching data collector or €20 Million (whichever is greater).
Should We be Concerned About GDPR Regulations?
We have been getting questions from our clients about how GDPR may impact them. The knee-jerk reaction from many American companies appears to be to ignore GDPR if their business is not focused on EU residents. Admittedly, there are many questions concerning how GDPR regulations can be enforced on data collectors outside of the European Union. Of course, betting on the fact that the EU will not be able to broadly enforce these regulations is not the best strategy.
The consensus is that general marketing to customers that may include EU residents will not trigger an obligation under the GDPR. Rather, it appears at this time, that EU residents will need to be directly targeted for GDPR to apply to data collectors outside the United States. Commentators have provided the following analysis [3] on this issue:
For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl from the Netherlands — would certainly seal the case.
Even if GDPR compliance may not be a priority for smaller data collectors, it is still worthwhile at this time for data collectors to consider compliance for the following reasons:
– GDPR compliance is not costly. At this point, compliance may be adding a few new disclosures to their website.
– GDPR compliance has a positive impact for customers that trust you with their data. Even if large, multi-national corporations have the most at stake, working toward GDPR compliance will only make data safer. Keeping data safe may result in more business and cutting losses related to a cyber incident.
– GDPR compliance puts you ahead of the pack. There is no doubt that the GDPR regulations are the most-strict and punitive we have seen to date. However, GDPR compliance is only going to help data collectors comply with state, federal and industry standards that they may already be required to follow. Further, if the GDPR is successful, data collectors can be certain the U.S. will adopt similar standards.
The Initial, Practical Approach To GDPR Compliance
Now that it is clear that GDPR compliance may be a concern even for data collectors that are not necessarily targeting EU residents, a discussion as to the potential for liability can be guided by the following points:
- Data Inventory. Data collectors need to first inventory the information and data that is being collected. A website that collects names and emails of visitors may gather EU resident’s data occasionally, but may not target the European Union for business. A data collector cannot thoroughly access liability without taking stock of the origin of the collected data.
- Consent? While it is still early in the process of GDPR compliance, it is assumed that most data collectors will find there is a peripheral chance that data belonging to an EU resident will be collected. This is the proper time to determine whether consent should be obtained from all individuals providing any data or information. Consent does not have to be an elaborate policy that no one would want to read (we are looking at you Apple). Rather, consent can be obtained through clear language without legalese. From a practical standpoint, data collectors may want to use a website such as SecurePrivacy.AI, [4] which has recently begun offering a free tool that scans websites for GDPR compliance
- Data/Privacy Officer. Reviewing GDPR compliance also provides an opportunity to consider whether a data/privacy officer should be appointed. This person will be responsible for handling data and information retention issues and would be a point of contact for anyone worried about how their data was gathered, used or retained.
The issues concerning GDPR are not new. Data collectors have been struggling with compliance with federal, state, local and industry data collection requirements for years. For example, an employer in Chicago, Illinois may hold information for its employees that are residents of Illinois, Wisconsin or Indiana. This employer may have been trying to harmonize privacy regulations for years at this point. Consequently, data collectors should use GDPR as another opportunity to access the safeguards they have in place to protect data.