General Data Protection Regulations (GDPR)

By Heidi Tandy, Esq.

If you’re a North American company that collects data from residents of the European Community — even if it’s just for business purposes — you need to evaluate whether need to be in compliance with at least some aspects of the European Community’s brand new General Data Protection Regulations (aka GDPR) by Memorial Day, 2018. If you do – and aren’t prepared with a designated Data Protection Officer, an audit of all the data you collect and how you use it, a Data Governance Program that’s customized for your business, and a Privacy Policy that’s part of your terms of use/customer agreements – then you aren’t fully prepared for the GDPR, and your business risks facing fines and lawsuits in connection with non-compliance.
Luckily, there’s still enough time to get prepared.

Preparation means your audit needs to include summaries of what information you collect, including personally identifying information (“PII”) such as names, email addresses, usernames and IP addresses, as well as information that is matched with PII, such as data about what site a user is coming from, how much time they spend on your site, and information they provide via forms or orders. It’s also vital to document why your use of the information is lawful, how long it is retained and what the data is used for — and that information needs to be public, in an FAQ or other informational page, which is accessible on your website, and via social media pages on Facebook if you collect information on users who communicate with you there.

Recent issues involving Facebook and privacy are significant, but going forward, a company that collects information via Facebook about Europe-based users has a notification and opt-in obligation, and non-EU users may become accustomed to seeing GDPR-compliant privacy and breach policies, and look for them before doing business with or using a specific website.

The penalties for non-compliance are stiff, with penalties for data breaches, especially those that aren’t timely reported, clocking in at 4% of a company’s annual revenue or 20 million euros, whichever is lower; compliance with the requirements of the GDPR is considerably less — and it’s a good way to be sure your customers know that they can trust you with their information. As the EU’s Commission says, “The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business.”

In other words, through this regulation created by the European Parliament, the Council of the European Union and the European Commission, the EU’s goal is to create, as TechCrunch recently said, a framework in which consent to the collection and use of personally identifying information “should be an ongoing, actively managed process; not a one-off rights grab.” While aspects of the GDPR are still undefined, compliance with defined components, such as privacy policy language, the information acquisition audit process and a data breach workflow should be developed and instituted by any company that collects information from EU residents. “Best practices” can be seen by EU residents as a positive business action.

We are able to work with your company and consultants to audit the processes and purposes behind your collection of Personally Identifying Information and create a Privacy Policy and Breach Notification Process customized to the industry, business, purposes and goals of your business – or your clients’. Heidi Tandy, Esq. has spent over 20 years creating Terms of Use and Privacy Policies for large corporations, small businesses and nonprofits, and understands how to create a culture of privacy that protects individuals’ information and meets the requirements of the GDPR as well as US privacy regulations, while balancing business interests.