Are you compliant with the general data protection regulation?
By John W. Tulac
The European Union’s General Data Protection Regulation (GDPR) took effect on May 24. The GDPR is now a part of your business life, whether you realize it or not. GDPR applies potentially to just about everyone.
Unless you are strictly local in your business and approach to marketing, the GDPR is relevant to you if you use email or the web to advertise, market or promote your business. What is required for regulatory compliance today if you are dealing directly or indirectly with people in the European Union also just became best practices, even if you don’t.
Within a year or two what GDPR requires or something very similar to it will likely be required for regulatory compliance everywhere. Very simply, the third-party platform providers from Google to Facebook to Constant Contact to WordPress (well, you get the idea) must be fully compliant and they will eventually force you to become fully compliant as well. Compliance won’t be that difficult or onerous for most companies, so it makes sense to do it now.
The purpose of the General Data Protection Regulation is to protect against the risk of wrongful use or disclosure of personal data. You must have a lawful need to collect, process or store personal data. GDPR compliance applies to
- Your website
- Your email
- Your cloud and databases
- Your papers and files
- All third party platforms you use
- Credit card processors & merchant account
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Yes, technically GDPR only applies to personal data of E.U. residents. However, enforcement is extraterritorial. This means that unless you specifically give notice to exclude E.U. residents from accessing your website or email, then GDPR can apply to you.
A person must know and give informed consent in advance of providing data.
- Must be in writing
- Must be compliant with GDPR
- Must be publicly accessible
- Must state what personal data is collected, why it is collected, and what is done with it, including whether and with whom you share it
- Must state how personal data is stored and protected
- Must notify when changing policy statement
Your security systems must be GDPR compliant. Your software, firewalls, encryption, etc., must be upgraded to current versions that are GDPR compliant. All major third-party providers have become GDPR compliant. Check to see what upgrades you will need. Many upgrades are free.
E.U. individuals must be able to have easy access to their personal data, be able easily to update it, be able easily to delete it or request deletion, be able easily to object to profiling or automated decision making, and be able easily to move their personal data elsewhere. You must delete it when it is no longer needed or legally required to be kept. You must delete it when individual withdraws consent – this is the new “right to be forgotten” (except where you are legally obligated to keep data for a given period of time). Automating these functions is highly recommended.
Data breaches must report within seventy-two hours of occurrence. Notice must be given to affected parties of potential or actual adverse impact from data breach.
Sanctions for non-compliance with GDPR can be severe. A company can be fined up to twenty million Euros or four percent (4%) of annual turnover (sales volume).
The E.U. GDPR Portal is actually very good. It is found at https://www.eugdpr.org
It has a summary of key changes, a well-designed set of FAQs, and the entire regulation. It is a good resource.
Compliance with GDPR may be a pain, but for most companies it should not be onerous. Even if GDPR doesn’t apply to you, it only makes good business sense to adopt its requirements as best practices.
John W. Tulac is an international business attorney practicing in Claremont, adjunct professor of law at University of La Verne College of Law (retired), and Lecturer Emeritus (retired) at Cal Poly Pomona. He is peer recognized as preeminent in international business law and holds the highest ratings for competence and ethics from the Martindale Hubbell National Law Directory.