Mitchell: GDPR: EU’s New Privacy Law – Does It Affect You?

If your business collects personal data from people residing in the European Union, regardless of where in the world your business is based, then it’s most likely in progress with an implementation plan to comply with the GDPR (General Data Protection Regulation) that comes into effect on May 25, 2018. If your business falls into the first bucket but hasn’t started yet, then it’s as late as being a 50-mile drive away from its best friend’s wedding that starts in 4 minutes.

I’m not a lawyer, nor do I play one on TV, so none of what I write here is legal advice. Businesses should consult with their own legal counsel to learn whether the GDPR applies to them.

The GDPR was approved by EU parliament in April 2016 and gave companies 2 years to comply. It replaces and expands upon the Data Protection Directive from 1995 and gives Europeans more control over their data. The fines for non-compliance of GDPR are steep: up to 4% of the offender’s annual global revenue or 20 million euros, whichever is larger. That’s per violation.

It doesn’t affect me, my company is US based and doesn’t market to European residents. If 1 EU resident found your company’s website or call center, gave their personal information and it was collected, then the GDPR applies. Whether the authorities are going to prosecute your company for non-compliance is perhaps another matter; Gartner predicted in May of last year that 50% of US businesses that are actually subject to the GDPR will not be compliant by the end of 2018, so 1 inadvertent offense is less than minute compared to big banks, retailers and social media sites who actively collect and process EU customer or client data for millions of people. But the law is the law, so be educated and prepared.

I don’t collect personal information from my EU-based customers. “Personal Information” may go beyond what you think. Any data that identifies a natural person as that person – or that does so when combined with other data – is personal information. According to the Definitions outlined in the GDPR, it can include things like “name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” It even applies to ‘pseudonymized’ data, i.e. data that is encrypted or de-identified but could be transformed to re-identify someone.

My company only has 50 employees, we can’t possibly be subject to the same rules as large companies. Companies with fewer than 250 employees are not required to comply with some of the record-keeping requirements unless the data processing it performs “is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data … or personal data referring to criminal convictions and offenses.” But other than those exceptions, businesses of all sizes are subject to the GDPR.

Your business may not fall under the GDPR’s jurisdiction, but since the law tends to get tighter not more loose over time, and the frequency of data breaches and abuse of customer data in the US is now almost as frequent as a Trump administration replacement, don’t be surprised if the US data privacy rules eventually change in favor of heightened data protection for Americans. Furthermore, your company may reach a point where it’s too cumbersome to manage several different sets of rules for customers in different countries, and find it more efficient to apply the policy with the lowest common denominator – the most strict rules – to the whole international database. So why not read on to see what the EU has mandated, and how that affects email marketers?

 So what does the GDPR say, in a nutshell? I repeat my earlier disclaimer that I’m not a lawyer, what I’ve written in this post is not legal advice, and any business should seek advice from their own legal counsel. These basic requirements below are paraphrased from a whitepaper by Osterman Research, titled “A Practical Guide for GDPR Compliance”, published in July 2017, but there are many more details associated with them, than what’s here:

• Have a legal basis for collecting and processing personal data, meaning direct consent from the data subject, a contract or legal obligation to do so, or other basis.
• Collect and process data securely, and only process for legal purposes. Protect that data from being accidentally or maliciously accessed. Also prevent it from being transferred outside the EU.
• Make sure there are additional safeguards for the processing of the personal data of children, if your business offers services directly to them.
• Do not process personal data revealing what the GDPR refers to as “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership”, nor “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” There are some exclusions to this rule.
• Ensure your company meets the new higher standards for consent to data collection. Amongst other things, it can’t be a prechecked box saying “Yes I agree”, nor can it be based on any kind of implied consent. It also can’t be written in ambiguous language, nor can it be bundled together with consent for other things.
• Document how, why and where data is being collected, and be prepared to prove compliance with GDPR. Appoint a qualified data protection officer to manage this.
• Respond in a timely manner to any data subject’s request about what data you collect, process or transfer about him/her. Also, correct any inaccurate data held about him/her.
• Be able and prepared to delete all the data you have on a subject, if requested. The data subject must be able to withdraw consent easily, and that applies to consent given before and after the law comes into effect on May 25. Companies need to re-obtain proper consent from anyone who gave consent that is not compliant with GDPR.
• Data must be ‘portable’, meaning your business must be able to supply to the subject their personal data in a structured format if requested.
• Minimize the amount of data collected, to only what is required for a specific processing activity.
• Notify the supervising authority of a data breach within 72 hours of learning of it.
• Have other methods of making decisions about people, rather than just automated processing and profiling.
• Do an assessment of the risks to the rights and freedoms of collecting and processing personal data and create a plan to avoid those risks.

The full GDPR regulation can be found here.

The US is governed by anti-spam laws set out in CAN-SPAM, while Canada is governed by CASL, Australia by the Spam Act of 2003 and New Zealand by the Unsolicited Electronic Messages Act 2007. That covers the main English-speaking world markets other than the UK. All of these regulations are specific to email or other electronic communication as well, while the GDPR more broadly regulates the processing of personal data. An email address is personal data, so for email marketers all mentions of personal data and data subjects in the GDPR apply to your program.

Helpful Anti-Spam Compliance Guides for the US and Canada:

CAN-SPAM (US): https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

CASL (Canada): http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00211.html