Tuesday, March 27, 2018

Do You Conduct Business Or Process Customer Information In Europe?


As of May 25, 2018, things are going to change...


The General Data Protection Regulation ("GDPR") takes effect on May 25th. If you have European clients and maintain any data about those clients or if you process any customer data in Europe or receive shared customer data from Europe, changes will be required.

This will have an effect on website Terms and Privacy Policies.

Before you panic...don't. 

While the EU regulation is quite a tome and there is definitely some complicated verbiage, many requirements are fairly straightforward. While not meant to include all requirements of the GDPR, the steps outlined here will provide a starting point for companies not familiar with the requirements to protect the private information of individuals that is in your possession or control. For the full GDPR, Click here

As used in this article, the term "Data" refers to any information relating to a human individual who can be identified by that information, including a name, ID number, location data, IP identifier, or one's physical, physiological, genetic, mental, economic, cultural, or social identity.

1.  If you don't have one, appoint a "Data Protection Officer." This is more important for large companies, but will be useful for small companies as well. This individual will monitor compliance with the GDPR, report to senior staff members, and be a point of contact with customers and employees. 

2.    Create a Data Protection Policy and include: 
  • how you process Data in the EU or that relates to EU citizens, 
  • how long you retain Data, 
  • how you provide Data to individuals requesting their Data, 
  • how you obtain consent to maintain and use that Data,
  • why you collect and process Data,
  • the type of Data held, and
  • a description of technical security measures to protect the Data.
3.    Create a Data Protection Impact Assessment.

4.    Obtain a positive 'opt in' authorization from EU citizens or from anyone where information is processed in the EU before collecting Data and make sure consents are clear and understandable. [Note: You may have noticed pop-up boxes on websites that ask for permission to use "Cookies."]

5.    Allow individuals a way to access and obtain their Data. You may have noticed that Google® has started providing a way for consumers to do this if you take a look at their Privacy Policy.

6.    Obtain parental consent from any child 16 or younger before collecting any Data. Note, in other nations, such as the UK, the age is 13 instead of 16. Make sure to check laws in each country in which you conduct business or gather any information.

6.    In the event of unauthorized disclosure of Data, you must report the breach to each affected individual and the EU country's data protection regulator within 72 hours after you learn of the access or disclosure.

In the event an entity does not follow GDPR rules, there are hefty penalties. Smaller offenses could subject an entity to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher while more serious offenses could result in penalties of €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

For an interesting investigation in the UK, WhatsApp, Inc. undertakes not to share personal data with companies in the Facebook family, until it can satisfy GDPR requirements. You can access that undertaking HERE.



This blog is for educational and informational purposes only and is not legal advice. If you have any questions or concerns about your legal rights or obligations, please contact qualified legal counsel.