There’s a lot of noise swirling around the internet about GDPR - what does it mean, is my business covered, do I need to do something? Here at Kronenberger Rosenfeld, we specialize in internet law, and attorney, Ginny Sanderson, is leading our charge with respect to GDPR. Here’s a recent question and answer session with her that will help you understand GDPR better.
Q: What is GDPR, and as an American based business, do I need to comply?
The GDPR is a consumer privacy and data protection regulation that has been developed the European Union (EU). Enforcement will be done at the individual country level and it is likely that the United Kingdom will adopt this regulation, or a similar version. The GDPR covers businesses that collect personal information over the internet from consumers and the disclosures that they provide about this collection:
In essence, the GDPR provides clarity about how and what personal data provided by the consumer will be collected, used,stored and shared when a consumer visits a website and/or performs a transaction. The second part of the GDPR focuses on the backend of data collection, i.e., when consumer personal data transferred from the person or entity who collected it (under the legislation, the “Controller”) to its vendor (a “Processor”), including transfers from the EU to Processors located outside of the European Economic Area, including in the United States.
The GDPR obviously applies to businesses located in the EU. but it also applies to U.S. businesses that collect or process personal data of EU residents. This is especially true for U.S.-based businesses that direct marketing or sales efforts to the EU, including by maintaining a website with an EU-specific top level domain (for example, .eu, .nl, .it), accepting payments in Euros, British Pounds or other European currencies, shipping product to EU addresses, advertising on EU-based websites, such as google.de, or advertising in languages specific to EU jurisdictions. Even if you do none of these things, but your website receives a consistent amount of traffic from the EU, the best bet is to ensure your privacy practices comply with the GDPR. However, if you own a U.S.-based business that makes no effort to do business with EU residents, and only attracts the occasional visitor from the EU, you have a good argument that the GDPR does not apply. Only time will tell how aggressively the GDPR will be enforced against U.S.-based businesses.
Q: What is the most important criteria that the EU regulation considers when determining GDPR compliance?
The most important criteria with respect to the consumer-facing disclosures include:
In addition, there’s a need for the business to be compliant with respect to data storage, and in particular has the business taken reasonable steps and safeguards to ensure that the data collected is stored safely in a robustly secure environment, and that the business partners with which consumer data is shared are trustworthy and will use the data properly aligned to provisions set out in the privacy statement.
Q: What does a business that falls under the GDPR net need to do?
What makes GDPR compliance more onerous on companies is that, unlike historic practice, there is not a one-size-fits-all template that can be used to ensure compliance. Instead, the policy needs to be bespoke based on the specific facts and circumstances of how consumer data is to be collected, used, stored, and shared.
My recommendation is that you call me, (415) 955-1155, ext. 113, or send me an email and I can look at what you have and make recommendations about changes required for compliance. The timeline for compliance is May 25th and the penalties should your company be found to be non-compliant are very stiff.
This entry was posted on Tuesday, May 15, 2018 and is filed under Resources & Self-Education, Internet Law News.