The deadline is looming for businesses to comply with the European Union’s General Data Protection Regulation (GDPR) on May 25, 2018. Yet many US-based companies may be woefully unprepared for the impending privacy regulations. Many don’t fully understand how, or even if, they are impacted.
The GDPR has been called the most important change to data privacy regulations in the last 20 years. That’s because the new regulation requires businesses that process or store personal data to protect the privacy of EU citizens for transactions that occur within EU member states – even if your business is not based in the EU.
What Businesses Must Comply:
- If your business has a presence in an EU country
- No presence in the EU, but processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees but data-processing or storage of personal data impacts the rights and freedoms of EU citizens and includes certain types of sensitive personal data.
That effectively means almost every company – including US-based affiliate businesses – must comply with GDPR.
If you’re an affiliate, here’s how you might be affected. If you collect a visitor’s personal data for an email list, a newsletter, or to send out deals, coupons and special offers, you need to comply with GDPR if you have any visitors from EU countries. Although affiliates are not handling the actual transaction data for purchases, they may still be gathering specific private information on visitors – even if those visitors willingly opt-in for a newsletter or deal email.
Any affiliates doing retargeting campaigns that involve EU citizens would also be impacted by GDPR.
Additionally, under the new rules, any third-party partners you use are also directly and legally obligated to comply with GDPR. Let’s say you use an application like MailChimp or a CRM system like SalesForce, it’s not enough if they are compliant. Both parties must comply. That’s because your business, is responsible for passing data to that third-party and in charge of how it will be processed and for what reason.
Applications frequently used by affiliates, including MailChimp, Constant Contact, Hubspot and Salesforce are among the providers who report that they have certified with Privacy Shield, showing their intention to follow GDPR’s rules on the transfer of data between countries.
What Constitutes Personal Information?
Under GDPR, personal information is anything that can be used to directly or indirectly identify a person.
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data, and RFID tags
- Bank details
- Email address
- Posts on social networking sites
- Health, genetic, and medical data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What Compliance Looks Like
Companies will be allowed to store and process personal data only when the individual consents. And for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, according to the regulation.
Additionally, companies must erase personal data upon request. This is known as the right to be forgotten. However, there are some exceptions. For example, GDPR does not supersede any legal requirements that an organization maintain certain data. An example of this would include HIPAA health record requirements.
However, GDPR isn’t always explicitly defined. It states companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” may be open to interpretation.
In addition, companies must report any data breaches to supervisory authorities and individuals affected by the breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
Non-Compliance Could be Costly
The penalties for non-compliance are steep – 20 million euros or 4 percent of global annual turnover, whichever is higher. For some companies that could be in the billions. The GDPR supervisory authority has the power to impose administrative fines based on several factors, such as the gravity of the infringement and whether or not steps were taken to mitigate the damage.
Still, it’s unclear how those penalties will be assessed. The biggest questions center around impact. Will fines differ for a breach that has minimal impact on individuals compared to a breach where exposed personal data results in actual damage? In any case, penalties could cripple small companies or startups.
The consensus is that the regulators will try to send a message early on by dropping the hammer on violators. However, it’s also not defined how those offenders will be exposed to the supervisory board.
Maybe that’s why some question the GDPR’s enforcement reach into non-EU member countries – like the United States. Will the EU be able to patrol, enforce and levy fines on small US-based businesses? In theory, yes. But the legalities are sure to be tested.
Behind the GDPR Curve
Big global corporations have long had GDPR compliance efforts underway. But smaller US-based companies are lagging behind. If your business is not in compliance by the May 25 deadline, you won’t be alone. According to a survey by Solix Technologies released in December, 22% of businesses were still unaware that they must comply with GDPR. Thirty-eight percent said that the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle. Half of those surveyed expect to be fined.
There is no one-size-fit-all GDPR readiness plan. But companies (and yes, even affiliates) need to implement appropriate technical and organizational measures for data protection provisions. Depending on the size of your business that means appointing a dedicated data controller or responsible team. It can also include staff training, internal audits of processing activities, and reviews of HR policies, as well as keeping documentation on processing activities. To prepare for GDPR, bodies such as the ICO offer general guidance on what should be considered.
The bottom line is that ignoring GDPR or failing to comply can result in serious fines that may cripple your business.