The GDPR is Coming

What is it?

The General Data Protection Regulation (GDPR) introduces the biggest change to data protection law in Europe in more than 20 years, along with huge fines when businesses are caught being out of compliance.

In a nutshell, the GDPR’s new, wider definition of ‘personal data’ covers any information about an identified or identifiable individual, but to identify someone you do not need to know their name. It is enough if you can single them out from a group, by means of an identification number, location data or online identifier (such as an IP address) or some other sort of “metadata” that is specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

When is it?

The GDPR formally goes into effect on May 25, 2018.

Who does it affect?

As a Regulation, it will apply directly in every EU Member State without the need for national legislation. From early 2018, it will apply to all personal data, in whatever format it is held (including structured paper files) and whenever it was collected, so you need to ensure that any new personal data you collect complies with it as soon as possible + decide how you will bring your existing data up to the new standards.

Organisations that process personal data on the instructions of another organisation, e.g. hosting companies, will have a particularly steep learning curve because they will be subject to statutory obligations for the first time.

Why should anyone in the US care?

A very important change in the GDPR that hasn’t received the attention it deserves has do with the geographic scope of this new law.

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.

Second, is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data” — EU-speak for what we in the U.S. call personally identifiable information (PII) — as part of a marketing survey, then the data would have to be protected GDPR-style.

Targeted Marketing vs. Generic Marketing?

U.S. companies without a physical presence in an EU country collect most of the personal data belonging to EU data subjects over the Web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR?

Here’s where the scope of requirements becomes a little more complicated.

The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles + finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country + there are references to EU users + customers, then the webpage would be considered targeted marketing + the GDPR will apply.

Starting to make sense?

Who is most likely to fall under the GDPR’s territorial scope?

U.S.-based hospitality, travel, software services + e-commerce companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country + has localized Web content should review their online-related operations, policies + procedures, specifically in the context of Information Security to protect their data.

Consent, Breach Notification And Fines?

For U.S. companies, EU-directed online marketing forms and interactions will have to be adjusted to obtain explicit consumer consent. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”

Let’s pretend a company in Chicago is looking to run a campaign in France and has set up a landing page to collect email addresses for some sort of gated content, like an e-book or white paper. At the very least, the company will need a checkbox posted there, without a default “x” in it, accompanied by clear language about their plans for use of the email addresses they’re collecting. Keep in mind it’s not permitted to ask users to click on a link to a long “terms and conditions” document filled with legalese.

This can get more complicated when someone signs up for a service or buys something. Vendors needs to obtain explicit permission for each type of processing done on the personal data. This means any email promotions, sharing with third-party affiliates, etc. will each be required to have their own, separate checkboxes.

Once data is collected, US companies then have to protect it under the GDPR’s rules. For those already working with WIMZKL + the Resilience Diagnostic, this framework is informed by existing data security standards, including PCI DSS, ISO 27001, NIST. This means these new GDPR regulations should not be a burden, as they map nicely to our own good practices for protecting our data.

Now what?

There are still questions about how the EU will enforce these actions against U.S. and other multinational companies doing business over the Web. The EU is serious about a uniform data and privacy law for its market and has already changed the Web practices of major U.S. companies.

To get the attention of multinationals, the GDPR introduces significant fines. For not reporting a breach to a regulator within 72 hours, fines are in the first tier of penalties — 2% of global revenue rather than the higher 4% that has received more press attention.

U.S. companies, especially those with a strong presence online, better be paying attention, adjusting their practices now + not waiting or they risk becoming a cautionary tale for others down the road.

Questions? I’m all ears. Get in touch.