UPDATE 5/23/18: Attorney Rian M. Kinney offered clarifying legal insights about GDPR after this post published. The valuable new information she provided has been incorporated within our original report. Please note that even though this post now contains input from a practicing lawyer, it is not intended to be legal advice, nor should it be construed as such. If you have questions about the legal ramifications of GDPR on you personally or on your business, we urge you to contact an attorney in your state, ideally a lawyer whose practice focus is on data protection. If you're interested in a GDPR audit and need guidance on getting started, please reach out to us at firstname.lastname@example.org.
Thinking GDPR (Europe’s new General Data Protection Regulation) won’t affect you because your company is based in the U.S.? Or because your website is hosted on American soil?
Well, you're in for a surprise.
The new law becomes enforceable May 25, roughly two years after approved by the European Union. It applies to information controllers and processors (parties processing info on behalf of others, such as payment processing companies or CRMS).
GDPR makes you liable for penalties if you improperly collect, store, or transfer data from people in the European Union. Your location outside of Europe or Great Britain matters not.
So it behooves you to know what this new law entails if you hope to comply with it. In a nutshell, GDPR and the global shift in concern for data protection and user privacy rights it embodies will change the way your organization collects, retains, and processes data, both internally and externally.
As for what you need to do to your website, we at Valet will spell it out for you in an upcoming article. Stay tuned.
As for what you need to do differently with your Internet practices, please keep reading.
GDPR Reflects a New Reality
First, though, a bit of explanation about GDPR itself.
The new law basically takes the essence of the EU’s 1995 Data Protection Directive and injects it with a mega-dose of steroids. GDPR completely replaces the old law, which was previously recognized as the gold-standard for Internet data protection and privacy.
A lot happened in the world of cybersecurity since the authoring of the Data Protection Directive. GDPR reflects the issues and concerns of the modern Internet era—an era in which data breaches and privacy abuses occur with the greatest of ease on an overwhelmingly large scale and seemingly daily basis.
GDPR requires anyone who collects personal data from individuals located in the EU to take serious steps to ensure that all such info remains locked up tighter than a drum. Here’s just some of what must be safeguarded if an individual’s name or other personal identifier is attached to it:
- Physical mailing address
- Email address
- Phone numbers
- Web IP address
- Cookie data
- Health records
- Race, ethnicity, sexual orientation
- Political views and opinions
GDPR also demands you pinpoint the source of info you collect. As well, you must keep detailed and accurate records of the names and affiliations of individuals or businesses with whom or with which you share or disclose the harvested data.
No Time-Limit for Data Records
GDPR sets forth how to limit how long you store collected data. It also requires you to state either how long or for what legitimate purpose you collect personal data and will use them.
However, it's possible you won't be able to establish a definite time limit for deletion. GDPR mentions no time limit for how long you must preserve compliance records, such as when and how user consent was collected or withdrawn. Consequently, many experts recommend you plan on keeping records indefinitely.
There’s also no surefire, ironclad way to prove that you’re not fooling around when it comes to protecting data. Accordingly, you should strive to head off problems by first consulting with a data protection specialist or attorney who can help you conduct a Data Protection Impact Assessment, implement technological tools your business and site need to comply, and create a data protection plan outlining corporate policy for data collected, stored, company access to sensitive data, deletion schedules, and records.
Problematic too: GDPR limits your use of collected data to just the purpose you declare. You break the law if, for example, you post an invitation to receive a whitepaper in exchange for an email address, but then in addition to the whitepaper you send marketing-oriented emails (unless you clearly warned of that in the original invitation).
GDPR bars you from collecting data not legitimately needed. Example: a site visitor wants access to your cool videos about the mating habits of aardvarks in captivity. No problem if you ask this person in the course of creating a user account to disclose his or her age and favorite zoo. Major problem if you also ask for his or her political affiliation and homeownership status.
GDPR Gives Users New Rights
GDPR gives Europeans from whom you collect data the right to demand you update or remove old or wrong info.
Of course, for them to know their information is incorrect or outdated you must first let them see the collected data. Well, guess what? GDPR says you must allow them to look—and to do so easily.
Before you even start collecting data you must unambiguously ask people for their informed, affirmative, equally unambiguous consent. No more automatically harvesting personal data with an opt-out option as the only way to stop it. Under GDPR, the person must opt in if you want to be able to collect anything at all.
Oh, and get this. It’s illegal to present to your visitors any check-off boxes that you’ve already checked for them as a convenience. They, on their own, must check the boxes. In other words, all boxes must be presented unchecked.
Users also now have the right of portability. This means that, in addition to allowing them (upon request) access to their information and giving them the ability to update, correct, or erase collected information, you must provide them their information in an easily transferable electronic format. Therefore, the ability to import and export user data will be crucial for compliance.
Take GDPR Seriously
Think the EU authorities won’t catch you? In addition to the enforcement agencies established in each EU member state to ensure GDPR compliance, people in the EU harmed by violators have the right to file complaints against them.
Pegasystems—a Cambridge, Massachusetts, cloud software company— polled 7,000 EU consumers and found that 82 percent of them plan to exercise the rights GDPR grants them to ensure that you obey the law.
That’s a lot of people carrying the legal equivalent of pitchforks and torches. It’s going to be hard to escape their dragnet.
Again, with potential fines of up to 4 percent of your global annual revenue or roughly $25 million, whichever hurts you more, flouting GDPR can prove a very costly and painful experience.
But you're not alone. A survey by PricewaterhouseCoopers finds 92 percent of U.S. businesses worry about GDPR’s impact on them.
We strongly recommend you become as familiar as possible with the provisions of GDPR. What we’ve shared with you here merely scratches the surface.
Drop us a line at Valet. And stay tuned to our blog and social channels for links to more resources on GDPR.
Rian M. Kinney, Esq., founded The Kinney Firm, a Miami-area law firm that handles corporate law, e-commerce, intellectual property, and data protection cases on behalf of businesses of all sizes as well as individual clients. In addition to her roles as a respected business-and-marketing-strategy attorney and legal consultant, Rian also is a published author and is actively engaged in the WordPress community. She has spoken at conferences across the country on topics ranging from "The Future of Open Source" to "How to CYA Your Site" and GDPR.