Have you begun preparing for GDPR? If you are like most, you haven’t even heard of GDPR, but also if you are like most, it is going to affect your business, starting May 25, 2018.
The GDPR, or General Data Protection Regulation, was first introduced to the European Union Parliament in 2012 and passed in 2016 to take effect in 2018.
The GDPR is “the most important change in data privacy regulation in 20 years” and it comprises comprehensive E.U. data protection regulations that are intended to create uniform privacy laws across Europe.
The GDPR is “the most important change in data privacy regulation in 20 years” and it comprises comprehensive E.U. data protection regulations that are intended to create uniform privacy laws across Europe.
The GDPR will probably change the way the rest of the world handles data as it applies to any organization outside the E.U. that offers goods or services to E.U. residents, and that includes doing business online.
Due to its broad reach, it is likely to become a global standard, and even if you aren’t selling to E.U. residents, the companies you do business with may require you to certify compliance in order to maintain business relationships.
The bad news about GDPR.
The bad news is that penalties for non-compliance can be stiff. Supervisory authorities are to impose fines that are “effective, proportionate, and dissuasive”; up to €20 million or 4 percent of global revenue, whichever is higher. You can read this is as: “Make an example out of the ones that don’t comply.”
The highest fines are for not obtaining customer consent when collecting data and lesser fines for not keeping records in order or not following the notification rules in the event of a data breach, but expect fines to be stiff for any violation.
It isn’t just regulators that have enforcement powers, either. GDPR gives E.U. individuals the right to sue for damages in the state where they reside, independent from supervisory authorities.
This means that even if you don’t attract regulator attention, your E.U. customers potentially have the right to damages if you get hacked. Further, the GDPR gives those individuals the right to bring an action against the supervisory authorities if those authorities don’t deal with a complaint against you
It’s not just two teams of FBI agents trying to police all adult websites; the entire population of the European Union has a cause of action if you ignore this regulation.
The good news about GDPR.
The good news is most of the rules make sense and bringing systems up to date won’t be difficult for most businesses.
The regulations are intended to protect individual privacy and were written with input from a broad spectrum of stakeholders, unlike adult entertainment laws that were often written by special interests that really just wanted to regulate porn out of business.
Also good news is that the GDPR applies to just about everyone, so compliance solutions should be widely available.
Compared to the 18 U.S.C. § 2257 regulations that only applied to publishers of adult content, and where only a relative handful of compliance services are available, the GDPR applies to every entity that collects names and email addresses from E.U. residents, so expect more companies and professionals offering solutions.
So what does this GDPR make me do?
The first thing it is going to make you do is update the privacy policy on your website. Under the GDPR, your privacy policy needs to be accurate and explain in clear language what you do with customer data, so a 42-page policy in legalese or copying a privacy policy from another website could really cause problems down the road.
The first thing regulators will look at after a data breach or consumer complaint is your privacy policy, and a policy copied from someone else is almost certainly not accurate for your business. If you have a data breach and the privacy policy you copied from another website says you delete collected information after 30 days but you really don’t, you have some explaining, and some fine paying, ahead.
What you definitely don’t want is to try explain why your privacy policy is not accurate or up to date and includes the contact information for an unrelated business because you didn’t even take the time to insert your own information into the privacy policy you copied from another website.
The next thing GDPR requires is that you obtain informed consent from E.U. residents before collecting their information, and if you are collecting a name, even a fictitious name, and an email address, you are collecting information.
If you are collecting information, your privacy policy must set out exactly what information you will collect, why you are collecting it, and what you plan to do with that information. This means you need to state the obvious: you need to explain to your customer that you need his name, credit card information and billing address because you plan to charge him money for accessing your website or shipping a product.
If you collect other information, like viewing history to create customer profiles, you need to disclose that as well. If you intend to send marketing emails for your own websites or emails for a partner site, that needs to be included in your privacy policy. Basic rule is disclose, disclose, disclose.
There is increased data security and reporting with GDPR.
The GDPR has specific requirements for data processors and defines data processors very broadly. Under the GDPR, “processing” basically means doing anything with customer data, including collecting it, storing it, or deleting it, so everybody becomes a data processor.
The GDPR requires data processors to implement security measures “appropriate to the risk” and implement processes for regularly testing those security measures. Again, using common sense and sound security procedures such as installing firewalls, requiring two-part authentication and IP blocking for server access, will most likely get you across the threshold.
The more sensitive the data you collect, the more secure your systems need to be, but first you need to understand what data you collect and how the GDPR classifies that data to determine how much security you will need for your systems. Layered systems, with greater security for more sensitive data, will likely be necessary even for basic adult online businesses.
There are data breach notification standards with GDPR.
The GDPR also mandates notification after personal data breaches. It defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”
This means a hacker doesn’t need to steal data, just alter it or delete it to trigger notification requirements.
If you discover a data breach, you have 72 hours to notify the supervisory authority, 1) describing the nature of the breach, including the scope of breach, 2) providing your contact information, 3) “describe the likely consequences of the personal data breach,” and 4) what you plan to do about it. If the data breach is likely to result in a high risk to the individuals, which is as simple as there being a high risk your customers’ credit card information could be used for unauthorized transactions, you also need to notify those customers whose data was breached “without undue delay.”
Taking a week to notify customers after a data breach because you didn’t already have a plan in place and had to take time to figure out how to respond probably would be “undue delay.” You will need to know what to do to comply with the notification requirements before disaster strikes in order to avoid “undue delay”, so start planning ahead.
This article barely scratches the surface of the upcoming General Data Protection Regulation.
In many ways, the GDPR mandates common sense approaches to data security, but it is quite comprehensive and requires any entity that collects data from E.U. residents to evaluate how it collects data and what it does with that data.
If your activities fit within the term “data processor,” and most will, you need to create and implement a compliance plan and put together a data breach response plan.
Again, most of this is common sense, but it takes time, money and effort, or the help of trained professionals, to make sure you don’t get caught with your pants down.
Chad Anderson is a solo attorney practicing in copyright, trademark, business relations, privacy and security. Chad sits on the Arizona State Bar Rules of Professional Conduct Committee and is a member of the Intellectual Property section of the American Bar Association, American Mensa and the International Association of Privacy Professionals. You may contact the author at chad@chadknowslaw.com with any questions.