If you have EU customers and you're uncertain how GDPR impacts you, stop reading this and hire a lawyer. Now.
This is not legal advice. If you have EU-resident customers, hire a lawyer. Now.
I work for All Around The World, a consulting firm based in France. Not only have we been impacted by the General Data Protection Regulation (GDPR) law, our clients have as well. What we have seen is that there's often a lack of understanding of the consequences of GDPR and companies with EU customers face bankruptcy if they fall afoul of this legislation. The GDPR essentially forces companies to take security, privacy, and record keeping seriously. GDPR fines for non-compliance are designed to be severely punitive, up to and including driving companies into bankruptcy.
You do not need to suffer a data breach to be hit with these fines; if you regularly handle data on EU customers and you're found to not be complying with GDPR regulations, you may be sanctioned. What's worse is that local laws, such as the US CLOUD Act, are sometimes in conflict with the GDPR, meaning that you can be caught between contradictory legal requirements. You need a lawyer.
The EU worked for years on the law, finally adopting it on April 14th, 2016. It become enforceable on May 25, 2018. Companies had two years to get ready, so non-compliance is not tolerated. The Cambridge Analytica scandal has made the situation even worse. Though Facebook was fined £500,000 for misusing customer data, there's anger that this paltry amount was the maximum fine that could be levied at the time. Had GDPR been in effect at the time, Facebook could have been fined up to $1.8 billion. While "good faith" efforts to comply with the law will be taken into account, if the EU desires to make an example of a company (and they will), a US company taking money out of the EU will be a much more desirable target than bankrupting an EU company keeping money in the EU. You need a lawyer.
There is a strict requirement that you make a "good faith" effort to achieve GDPR compliance. Before anything else, you must realize that GDPR-compliance is a legal issue, not a technical one. If you simply instruct your IT staff to make it easy to report and purge personal data, you're well on your way to bankruptcy. This is not a good faith effort because it demonstrates a lack of knowledge of GDPR regulations.
If you are found to be non-compliant, there are two levels of fines:
In other words, you face bankruptcy if you get this wrong. This is serious enough that many US-based Web sites are no longer available here in Europe. Complying with GDPR can be costly if your IT staff are inexperienced. Not to put too fine a point on it: the strong worldwide demand for software developers has led many companies to hire inexperienced developers. Even expert developers often build poor systems when faced with significant budget or time constraints. Companies rush build software to solve problems now with little thought to the long-term consequences of poorly-built software. GDPR isn't going to improve this situation, but it's going to severely punish companies who get this wrong.
In order to achieve GDPR compliance, you need to, at minimum, do the following, keeping in mind that there are major caveats to each of these:
How these issues are applied will vary company to company. However, keep in mind that you generally do not have the right to deny services to customers if they fail to give consent to having their data tracked. There are exceptions to consent, such as the processing of personal data for reasons of public interest, such as in the health sector. And yes, this also applies to your EU-resident employees, not just customers.
In short: if you handle personal information on a large scale or regularly monitor data subjects, you need a Data Protection Officer (DPO). Keep in mind that Recital 30 of the GDPR clarifies that IP addresses are personal information. Examples of companies requiring a DPO include:
Small scale tracking of personal data, such as a individual doctors or lawyers, generally do not need a DPO.
Of course, the above list is not exhaustive. If you're not sure, consult a lawyer.
If you require a DPO, the following conditions apply:
The above list, of course, is not exhaustive.
Now, and only now, do we begin to touch on the IT considerations. The above was merely to give you a sense of the scale of the GDPR directives. This section is intentionally left short because it should not be viewed as a checklist to becoming GDPR-compliant. If in doubt, consult a lawyer.
The legal implications must be addressed first. One you have a DPO (if needed), and have drafted a comprehensive plan to protect your customer's data, you can start work on how to implement this. Implementing GDPR requirements without fully understanding them risks wasting money and time developing systems that are not fit for purpose. Once you have a strong understanding, however, you can begin to address the following:
The security assessment is critical: all the "good faith" in the world isn't going to protect you if you have a Experian-style data breach. The EU wants to show that the GDPR has real teeth and you don't want to be the example.
Please leave a comment below!
Copyright © 2018-2020 by Curtis “Ovid” Poe.