In May 2018 one of the biggest changes in data security laws in the last two decades came into force in the EU. Known as General Data Protection Regulation (GDPR), it’s a change that’s been dominating the headline in Europe with companies forced to make sweeping updates to their privacy terms and the way they operate.
If you’re a company that doesn’t do its main business in Europe, or you’re a business hoping to expand internationally you could be wondering how this affects you. This guide provides an overview of the new GDPR legislation and how to set up for European trade.
The new GDPR rules are designed to protect the data of anyone who is in the EU. This is an important point of distinction; if the EU citizen is not within the EU at the point of data collection, GDPR will not apply.
Often referred to in Canada and North America as Personally Identifiable Information (PII), the GDPR protects what the EU call “personal data”. Any organisation that collects this type of data from individuals in the EU will be subject to this law. Contrary to popular belief, a financial transaction does not have to take place for GDPR to apply.
You also don’t need to be physically present in the country to be bound by GDPR rules. This means that if your business wants to reach individuals within the EU via a web presence, you will need to be GPDR compliant.
Many organisations have opted to be over-cautious when considering the reach of their website and GDPR, but the law is quite clear about how it applies.
If you are just marketing your services or products generally outside the EU and are not specifically targeting customers in any of the countries, GDPR doesn’t apply.
What is meant by targeting customers can be a little less clear however. If any of the following apply you would be considered as targeting EU customers:
There are other markers too, these are just some examples which could be used.
If in doubt, it’s safer to make sure you’re complying with GDPR law to prevent any accidental breaches as hefty fines are in place.
If you’ve identified that your company practices might fall under GDPR law, you’ll need to make sure that when you obtain any consent it is “freely given, specific, informed, and unambiguous”. This is what GDPR specifies.
To comply with this request this is what you’ll need to do:
For most companies in the US or Canada, these rules should not be too onerous, as they’re loosely similar to what’s already in place in native law. However, GDPR also requires any breaches to be reported within 72 hours to the relevant authority. Any company that fails to do so will be hit with a huge fine.
This may present a larger challenge, along with the remedying actions that businesses are required to take in event of a breach. Right now, it’s not clear exactly how the EU plans on enforcing fines for breaching EU law outside its jurisdiction but it’s clearly something that they will be taking very seriously.
For many businesses who already have strong data security processes in place, GDPR doesn’t have to be a painful process. Using the above information you should be able to establish if it applies to you and if so, what you need to do.
Making consent clearer and more explicit, making it easier for customers to understand what will happen with their data and handling personal information responsibly is something that every company should be willing to do – regardless of whether GDPR applies.