Have you begun preparing for GDPR? If you are like most, you haven’t even heard of GDPR, but also if you are like most, it IS going to affect your business, starting May 25, 2018.
The GDPR, or General Data Protection Regulation, was first introduced to the European Union Parliament in 2012 and passed in 2016 to take effect in 2018. http://www.eugdpr.org. The GDPR is “the most important change in data privacy regulation in 20 years” and it comprises comprehensive EU data protection regulations that are intended to create uniform privacy laws across Europe. The GDPR will probably change the way the rest of the world handles data as it applies to any organization outside the EU that offers goods or services to EU residents, and that includes doing business online. Due to its broad reach, it is likely to become a global standard, and even if you aren’t selling to EU residents, the companies you do business with may require you to certify compliance in order to maintain business relationships.
The Bad News
The bad news is that penalties for non-compliance can be stiff. Supervisory authorities are to impose fines that are “effective, proportionate, and dissuasive”; up to €20 million or 4% of global revenue, whichever is higher. You can read this is as: “Make an example out of the ones that don’t comply.” The highest fines are for not obtaining customer consent when collecting data and lesser fines for not keeping records in order or not following the notification rules in the event of a data breach, but expect fines to be stiff for any violation.
It isn’t just regulators that have enforcement powers, either. GDPR gives EU individuals the right to sue for damages in the state where they reside, independent from supervisory authorities. This means that even if you don’t attract regulator attention, your EU customers potentially have the right to damages if you get hacked. Further, the GDPR gives those individuals the right to bring an action against the supervisory authorities if those authorities don’t deal with a complaint against you.
The Good News
The good news is most of the rules make sense and bringing systems up to date won’t be difficult for most businesses. Also good news is that the GDPR applies to just about everyone, so compliance solutions should be widely available.
OK, so What Does this GDPR Make Me Do?
The first thing it is going to make you do is update the privacy policy on your website. Under the GDPR, your privacy policy needs to be accurate and explain in clear language what you do with customer data, so a 42 page policy in legalese or copying a privacy policy from another website could really cause problems down the road. The first thing regulators will look at after a data breach or consumer complaint is your privacy policy, and a policy copied from someone else is almost certainly not accurate for your business. If you have a data breach and the privacy policy you copied from another website says you delete collected information after 30 days but you really don’t, you have some explaining, and some fine paying, ahead. What you definitely don’t want is to try explain why your privacy policy is not accurate or up to date AND includes the contact information for an unrelated business because you didn’t even take the time to insert your own information into the privacy policy you copied from another website.
The next thing GDPR requires is that you obtain informed consent from EU residents before collecting their information, and if you are collecting a name, even a fictitious name, and an email address, you are collecting information. If you are collecting information, your privacy policy must set out exactly what information you will collect, why you are collecting it, and what you plan to do with that information. This means you need to state the obvious: you need to explain to your customer that you need his name, credit card information and billing address because you plan to charge him money for a product or service. If you collect other information, like viewing history to create customer profiles, you need to disclose that as well. If you intend to send marketing emails for your own websites or emails for a partner site, that needs to be included in your privacy policy. Basic rule is disclose, disclose, disclose.
Increased Data Security and Reporting
The GDPR has specific requirements for data processors and defines data processors very broadly. Under the GDPR, “processing” basically means doing anything with customer data, including collecting it, storing it, or deleting it, so everybody becomes a data processor. The GDPR requires data processors to implement security measures “appropriate to the risk” and implement processes for regularly testing those security measures. Again, using common sense and sound security procedures such as installing firewalls, requiring two part authentication and IP blocking for server access, will most likely get you across the threshold. The more sensitive the data you collect, the more secure your systems need to be, but first you need to understand what data you collect and how the GDPR classifies that data to determine how much security you will need for your systems. Layered systems, with greater security for more sensitive data, will likely be necessary even for basic online businesses.
Data Breach Notification Standards
The GDPR also mandates notification after personal data breaches. It defines a personal data breach as “ a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” This means a hacker doesn’t need to steal data, just alter it or delete it to trigger notification requirements. If you discover a data breach, you have 72 hours to notify the supervisory authority, 1) describing the nature of the breach, including the scope of breach, 2) providing your contact information 3) “describe the likely consequences of the personal data breach”, and 4) what you plan to do about it. If the data breach is likely to result in a high risk to the individuals, which is as simple as there being a high risk your customers’ credit card information could be used for unauthorized transactions, you also need to notify those customers whose data was breached “without undue delay.” Taking a week to notify customers after a data breach because you didn’t already have a plan in place and had to take time to figure out how to respond probably would be “undue delay.” You will need to know what to do to comply with the notification requirements before disaster strikes in order to avoid “undue delay”, so start planning ahead.
Summary
This article barely scratches the surface of the upcoming General Data Protection Regulation. In many ways, the GDPR mandates common sense approaches to data security, but it is quite comprehensive and requires any entity that collects data from EU residents to evaluate how it collects data and what it does with that data. If your activities fit within the term “data processor”, and most will, you need to create and implement a compliance plan and put together a data breach response plan. Again, most of this is common sense but it takes time, money and effort, or the help of trained professionals, to make sure you don’t get caught with your pants down.
This article does not constitute legal advice and does not create any attorney-client relationship. You may contact the author at chad@chadknowslaw.com with any questions.
ChadKnowsLaw 