GDPR - In A Nutshell

Resources & Self-Education   |   Tuesday, May 15, 2018

Let the Experts at Kronenberger Rosenfeld Help You Walk Through The Details

There’s a lot of noise swirling around the internet about GDPR - what does it mean, is my business covered, do I need to do something?  Here at Kronenberger Rosenfeld, we specialize in internet law, and attorney, Ginny Sanderson, is leading our charge with respect to GDPR.  Here’s a recent question and answer session with her that will help you understand GDPR better.

Q:  What is GDPR, and as an American based business, do I need to comply?

The GDPR is a consumer privacy and data protection regulation that has been developed the European Union (EU).  Enforcement will be done at the individual country level and it is likely that the United Kingdom will adopt this regulation, or a similar version.  The GDPR covers businesses that collect personal information over the internet from consumers and the disclosures that they provide about this collection:

  • How it’s stored,
  • Who it is shared with,
  • How they, (the consumer)  can access, change or delete it, and  
  • How it can be transferred to another business provider.

In essence, the GDPR provides clarity about how and what personal data provided by the consumer will be collected, used,stored and shared when a consumer visits a website and/or performs a transaction.  The second part of the GDPR focuses on the backend of data collection, i.e., when consumer personal data transferred from the person or entity who collected it (under the legislation, the “Controller”) to its vendor (a “Processor”), including transfers from the EU to Processors  located outside of the European Economic Area, including in the United States.

The GDPR obviously applies to businesses located in the EU. but it also applies to U.S. businesses that collect or process personal data of EU residents. This is especially true for U.S.-based businesses that direct marketing or sales efforts to the EU, including by maintaining a website with an EU-specific top level domain (for example, .eu, .nl, .it), accepting payments in Euros, British Pounds or other European currencies, shipping product to EU addresses, advertising on EU-based websites, such as google.de, or advertising in languages specific to EU jurisdictions. Even if you do none of these things, but your website receives a consistent amount of traffic from the EU, the best bet is to ensure your privacy practices comply with the GDPR. However, if you own a U.S.-based business that makes no effort to do business with EU residents, and only attracts the occasional visitor from the EU, you have a good argument that the GDPR does not apply. Only time will tell how aggressively the GDPR will be enforced against U.S.-based businesses.

Q: What is the most important criteria that the EU regulation considers when determining GDPR compliance?

The most important criteria with respect to the consumer-facing disclosures include:

  • Are they complete?
  • Are they easy to understand, and most importantly
  • Does the consumer make active, informed consent?

The last aspect is the noticeable change as it is no longer acceptable for a website’s privacy statement to simply be a link in the footer. Upon a user’s first visit to the website they need to be presented with a link to the privacy policy, a short explanation of what it includes, and an opportunity to expressly accept the conditions set out in the policy or leave the site.

In addition, there’s a need for the business to be compliant with respect to data storage, and in particular has the business taken reasonable steps and safeguards to ensure that the data collected is stored safely in a robustly secure environment, and that the business partners with which consumer data is shared are trustworthy and will use the data properly aligned to provisions set out in the privacy statement.

Q:  What does a business that falls under the GDPR net need to do?

In most cases, the starting point is the revision of the website’s privacy policy to comply with the requirements stated above, which will most likely require some language changes and the implementation of a consent mechanism.

What makes GDPR compliance more onerous on companies is that, unlike historic practice, there is not a one-size-fits-all template that can be used to ensure compliance. Instead, the policy needs to be bespoke based on the specific facts and circumstances of how consumer data is to be collected, used, stored, and shared.

My recommendation is that you call me, (415) 955-1155, ext. 113, or send me an email  and I can look at what you have and make recommendations about changes required for compliance. The timeline for compliance is May 25th and the penalties should your company be found to be non-compliant are very stiff.

 

This entry was posted on Tuesday, May 15, 2018 and is filed under Resources & Self-Education, Internet Law News.






MOST RECENT


RELATED PRACTICE AREAS




Kronenberger Rosenfeld recognized as a Top Boutique of 2015 by The Daily Journal

Let’s get started

online case submissions

Send us information about your matter, and we will respond to you promptly

Submit Online