What GDPR Means for Your Marin or Sonoma Business

In a nutshell, what is the General Data Protection Regulation (GDPR) and does Your company need to worry about this new regulation?
*I am not a lawyer. I am especially not your lawyer, or anyone else’s. This is not legal advise. I recommend anyone in need of legal advise on this subject to contact their attorney.
Going into effect May 25, 2018, the European Union’s General Data Protection Regulation presents the biggest sweeping change to European data security in the last 20 years. With information and news coverage regarding GDPR increasing as the deadline for compliance draws closer (depending on when you are reading this it may already be in affect), you’ve likely read about some of the highlights of the regulation like the defined rights of individuals, the “right to be informed”, breach reporting, high fines, and more.
My Thoughts:
It is my understanding that, if you are outside the EU, you only have to worry about the GDPR regulations if YOU ARE TARGETING EU citizens. If you are running special offers solely for citizens in the EU, France, Germany, etc. Or running Ad campaigns to solely target EU customers, then you need to be GDPR compliant. The gray area is, the EU courts have the discretionary ability to determine if a U.S. company was purposely targeting and collecting EU resident data or not. The EU regulators can fine U.S. companies for violating GDPR, and they can do it with the help of U.S. authorities and international law.
Is your Marin or Sonoma business offering products or services to the European Union and is your site compliant?
Good article to read that explains more: Click Here
Geographic Scope
Since this an EU regulation, it’s safe to assume that businesses doing business in the EU are in the process of complying if they haven’t already. But what if you have a company in the U.S. with no business ties to or operations in any of the 28 European Union states? Do you still have to comply with this regulation?
One important element that’s frequently been overlooked is the specific geographic scope of this regulation. Article 3 of the regulation states that if you collect personal or behavioral data from anyone in an EU country, then you must meet the regulation’s requirements.
To be even more specific, the law applies only if the consumers, the subjects whose data has been collected, are in the EU at the time of the collection. If the consumer is outside of the EU when the data is gathered, the regulation would not apply.
Furthermore, and this is very important, a financial transaction is not required for the extended scope of the regulation to apply. If the business or organization that collects what the EU calls “personal data”, in the U.S. personally identifiable information (PII), for something as simple as an online poll, the data is required to be protected under the regulation.
Defining Targeted Marketing
U.S. companies gather data belonging to EU data users over the web where they don’t have a physical presence in any of the EU countries. So if a user in Prague visits a U.S. website, would they be protected by the regulation?
First, generic, nonspecific marketing doesn’t apply. The business or organization would have to specifically target a data subject in one of the EU countries. If that same Prague user visits a website written in English for U.S. or B2B / B2C consumers, it wouldn’t fall into the regulation’s jurisdiction. If the marketing is in the language of the specific country (in this example the Czech Republic) and references are made to EU users and consumers, the site would be considered targeted marketing and the regulation would apply.
Further, if the site accepts the country’s currency for payment and/or have a U.S. website that can be accessed with .cz from the Czech Republic, the case is made.
Who in the U.S. is most likely to fall under the geographic scope of the regulation? Any U.S. based e-commerce, hospitality, software service, or travel businesses would be smart to review their marketing policies to ensure compliance. Any U.S. company, however, with an identified market in any EU country and localized website content should review their policies as well.
Consent
If your U.S. company has EU-directed online marketing forms or interaction utilities, they must be edited to request explicit consent from the data subject. Consent must by freely given, informed, specific, and unambiguous.
As an example, if your Marin or Sonoma County business plans to run a promotion in Wales and has assembled a website page to gather email addresses, at a minimum a checkbox must be included, with no default “x” present, with specific language about how exactly the email addresses will be used. And you can’t cheat and require the data subject to click on a terms and conditions style legalese-filled page on your Marin web design instead.
When a consumer signs up for a service or buys something, the company or business must incorporate into their website a way to obtain explicit permission for any possible use of the personal data with checkboxes for email promotions, sharing with third-party affiliates, and more.
Once the data is gathered, the U.S. company or organization is then required to protect it under regulation rules. If your web design is already meeting the requirements of such security standards as PCI DSS and ISO 27001, compliance with this regulation should prove to be relatively simple.
Breach Reporting
The new 72-hour breach notification component of the regulation, however, will require all businesses to step up within their IT departments.
Breach is defined as an event involving the accidental or unlawful alteration, destruction, loss, unauthorized disclosure of, or access to, personal data that’s stored, transmitted, or otherwise processed or used. When such occurs, IT groups or departments must immediately analyze the incident to determine whether any the affected or exposed EU personal data identifiers can threaten the freedoms and rights of EU data subjects as defined by the regulation.
While there is some leeway in assessing risks, a sizeable exposure of email addresses or personal data containing information connected in any way to financial or medical information, or identifiers connected to children, requires notification to an EU regulator or acting supervising authority within 72 hours.
High risks, defined here as risks to fundamental property and privacy rights, like the exposure of credit card numbers or passwords, require that the data subjects themselves also be notified.
Penalties
Questions remain as to how the EU plans to enforce these rules against nations outside the EU, including the U.S. It’s determination to establish and maintain a uniform data and privacy law has already brought massive change to the web practices of major U.S. businesses and organizations.
To make sure their dedication is understood, the EU has included significant fines to be imposed for failure to comply with the regulation. Failure to report a breach to a regulator within 72 hours will result in fines of up to €20 million or 4 percent of global revenues, whichever is higher.
Needless to say, any company with a website needs to immediately evaluate their web policies and practices now, get compliant, and set their procedures so the unthinkable doesn’t happen.
Need Website Help?
Need help in ensuring your Marin County website is compliant and has a General Data Protection Regulation notice? Contact me or email to hello@brynhowlett.com and I’ll help you establish the notice for your website’s compliance.
Rob - Clarip
On the issue of whether you need to target EU citizens: I don’t believe this is the case. I think it is sufficient to just actually be collecting the data of EU citizens.
It has been some time since I have looked at the text with this issue in mind and future decisions of the data protection authorities will probably clarify it at some point. But my recollection is that anyone who is processing EU citizen data can fall within the law.