At this point, you’ve probably been inundated with emails from various companies notifying you of updates to their privacy policies in light of the General Data Protection Regulation (GDPR) coming into enforcement in the European Union. You may have been asked to confirm your subscription or update your settings depending on the company. So, you may be asking what the GPR is, what it does, and whether your business’ current website needs to comply with these regulations?
What is the General Data Protection Regulation?
The European Union’s passage of the GDPR, resulted in changes to data privacy laws and regulations to Europe After these new regulations went into force in May, EU now has the strongest privacy and data protection laws in the world. Businesses that process personal information of EU citizens are required to comply. Personal information for purposes of the GDPR includes any and all data that on its own can be used to identify and/or communicate with an individual.
The GDPR was implemented for two primary reasons. First and foremost, the GDPR harmonizes the data protection laws across the EU. Enabling businesses operating in Europe to comply with a uniform set of regulations rather than having to structure their websites to comply on a nation-by-nation basis. Even Britan, in the midst of post-Brexit reorganization, has agreed to implement these new regulations and increase restrictions on data and privacy regulation.
Second, the GDPR provides clear set of identity-related rights for EU citizens. Including the right to clearly understand and easily access personal information from companies that collect this type of data. Clear, written consent is required for companies to collect personal information from individuals including the type of information being collected and stored by a business. There are further obligations for companies to provide secured data management, defaults to restrictive privacy settings, and of course, fines for those who fail to comply.
Businesses operating in the EU need to have a clear understanding of the type of personal information data they collect on users, what they company is doing with it, where weaknesses in their infrastructure are, and implementing written policies for data protection. Businesses should also look into reaction planning to monitor and report data breaches so that they are ready to disclose the issue within 72 hours of the event. While these new rules and regulations likely won’t stop hackers and data breaches, the hope is that companies will have better monitoring in place and be able to react to problems sooner.
Does My Business Need to Comply?
Businesses with EU customers should have already brought their online operations into compliance. However, what compliance-concerns should you have if you’re a small business serving clients only in California?
Well, the answer depends on what your businesses does with its website. If a website is just informational, for example, a retail store providing location information, hours of operation, and company-related updates, it is unlikely that this business would need to comply with the GDPR as they don’t collect any user information in order to operate.
However, that same store would want to comply with the GDPR if it collected user information, such as names and email addresses, in order to send out monthly newsletters with sale information and special events. According to the GDPR, any business that collects a user’s personal information from individuals located in an EU-member country, more accurately the “European Economic Area” are required to comply with these rules. Certainly, if you’re selling abroad anything abroad or simply making your site available for use by individuals in the EU it’s more likely that you’ll need to comply.
In the increasingly borderless nature of the internet, the next question for a business owner is whether it’s likely that your business will collect information from users in EU countries.
To answer this, your website should utilize an analytics service providing you with geographic information of where your hits are coming from and if those hits convert into purchases, calls, newsletter signups, or for whatever else a customer may do when they visit your site. This analysis should provide you a good idea and understanding of where your customer base is located and if you have any volume of traffic or information being collected from EU-located users.
Next, you should consider whether your website and/or marketing currently targets EU-located users. For example, if your website clearly markets to and targets California customers, then it’s less likely that your website will pick up EU-located customers, thus making you less likely to be subject to GDPR. However, if your businesses online store provides customers options for things like making purchases in euros, shipping items to EU countries you are more likely to be seen as soliciting business from EU-located customers.
Exactly how the European Parliament and regulatory bodies plan on collecting large fines resulting from breaches of the GDPR against business located outside the EU’s control is still unknown. However, a business participating in the cross-industrial move towards stricter protection and privacy protections for users is a good public relations move for any business.
In most case, compliance would likely be a matter of reviewing privacy policies and information handling procedures. If your website stores its user’s personal information, it is an ideal time to revisit how your business monitors that information and what your procedure is to notify customers in the event of a breach.
If you need to bring your business into compliance with the GDPR, or if you’re unsure about whether these new regulations would apply to you, reach out to the team at Chase Law Group, P.C. by calling (310) 545-7700. We can help you determine whether you need to comply and what specific steps your business would need to take to be in compliance.