Photo by Burst from Pexels.
Marketers need to be able to answer two essential questions . . . 1) What is the GDPR? and 2) Does it apply to my business or client? Let’s add third and fourth questions, since there’s a 90% chance the GDPR does apply: 3) What happens if my business / client doesn’t comply, but ought to? and 4) How does my business /client get started?
This five-minute read is not meant to answer all your questions, which likely requires a chat with an attorney to discuss your specific business operations and data collection/sharing practices. Rockridge® would love to work with you, and in the meantime we’ll introduce you to the language of GDPR (British accent appreciated, but not required). Without further ado . . .
What is the GDPR?
While the GDPR is relatively new, those crazy Europeans have been regulating data since the dawn of the Internet. Over time, the EU sought to strengthen individual protections against the ways that Internet companies learned to mine and market consumer data, and to strengthen safeguards against leaks of personally identifiable information. The GDPR is a resulting regulation strengthening data protection and privacy for individuals in the European Economic Area (EEA) while promoting the lawful free flow of information across borders. If you want to be crowned proper, you may refer to it as the General Data Protection Regulation. In the Southern United States, we fondly refer to it as, “those Gosh Darn Privacy Rules!”
The GDPR was enacted into law in May 2016, and enforcement penalties began May 25, 2018 — followed by a splurge of “We’ve Updated Our Privacy Policy” notices to your inbox.
For individuals within the physical borders of the EU, their personal data is their property. While protecting their individual freedoms, they are collectively — and ironically — referred to as Data Subjects.
Basically, the GDPR boils down to:
The Right to be Forgotten
Data Subjects (again: individuals physically within the EU) have the right to request that a business delete their information. “Hey, lose my number, Google!” This applies to any business, whether it’s in the EU or not. And, it not only includes information the Data Subject provided, but any other information collected, i.e., analytics, notes, etc.
The Right to Access
The Gimme Gimme Rule, aka Right to Access, means that Data Subjects are entitled to request that a company share with them what information has been stored about them. And that this transaction occurs without charge.[1]
Privacy by Design
Privacy by Design is a term-of-art meaning, “to build from the bottom up.” Rather than adding privacy to existing models, the models should be re/created with privacy and data protection in mind. This also means collecting the minimum data required for conducting business operations.
Data Portability
Whatever information a business decides to collect about a Data Subject is subject to transfer to another business if the Data Subject so requests. The idea behind this element is to allow for the free movement of consumers from company-to-company. The information that is ported must be shared in a common, machine-readable format.
Strengthened Consent
Get ready to implement more check-the-boxes into your systems, because strengthened consent requires that permission be obtained per-use case of a customer’s data. If your company asks for an email address and consent in order to send purchasing information, it must again ask for consent before using that email for marketing purposes. Further, consent can’t be messy, unintelligible, hidden, or tricky. All consent requests are required to be written in a way that the company’s intended consumers can understand it.
If you’re not doing business in the EU, you’re probably saying, “None of this applies to me!” You’d be wrong . . .
The GDPR Applies to Almost Everyone
The GDPR impacts anyone who does business within the borders of the EU or does business with EU data subjects — and that’s almost everyone. GDPR is an extraterritorial regulation that applies to every company that collects data on people while they are within the physical borders of the EU.
If your company does not screen customers for their location at the time of processing, you could be inadvertently collecting and using the information of Data Subjects beyond the bounds of the GDPR.
Examples of when the GDPR applies to a non-EU company:
– You collect customer data of any kind that could be personally identifying, such as name, email, IP address, etc., or you use software that does this on your behalf (Google Analytics, marketing automation, sales CRM).
– Your digital properties have received any amount traffic from the EU since May 25, 2018 (the GDPR’s enforcement penalties start date).
– You’ve done business of any kind with a Data Subject, including non-financial transactions (free trial, download, free sample, etc.), and then that individual returns to the EU.
For instance, Peter from Poland decided to take a tour of America (largely because he was fascinated with Elvis) and visited Grandpa’s Famous BBQ in Memphis.[2] Peter gave Grandma (working the checkout) his name, phone number and email address to place his order. He then returned to Poland (which is still in the EU, as of the date of this writing). If Grandpa’s Famous BBQ sends him a marketing email while Peter is in Poland, its business could invoke the GDPR.
If your company is in the business of advertising, you should take a hard look at your compliance obligations. Particularly if you make money by aggregating and targeting audiences using consumer data. The data you’re using was likely not obtained under the requirements of strengthened consent. So that you can properly show consent, you may need to invest in new landing pages and forms; re-obtain consent for data uses not initially or explicitly requested; and scrub your existing databases.
GDPR Penalties
What’s the harm with not complying with some foreign regulation? Money. And Time. Hard Time.
This is not akin to other cost-benefit risk assessments your business has traditionally performed. While there is certainly a cost (legal, tech, management, etc.) in implementing a new way of business that respects data ownership and privacy, the fines behind incompliance are very likely to be significantly greater.
Per violation, companies may be fined up to 4% of their annual revenue or 20 million Euros, whichever is greater. The per violation part is important — if we violate the privacy rights of 10 people, we could face up to 200 million Euro fines. That’s about 250 million in U.S. dollars.[3]
Oh, and don’t forget the Hard Time. C-levels and other company leadership could serve actual time behind bars depending on the severity of the violation.
How Can My Business Comply with the GDPR?
If you believe the GDPR applies to your business — seek counsel. At Rockridge, we’ll review the legislation with you and help you prepare an exhaustive risk assessment. An immediate checklist for small to mid-size businesses looks something like this:
– Take a look at your data collection practices — what information is collected and who sees it;
– Do your due diligence with your vendors who are “data processors” and “data controllers” by reading their terms of service for compliance;
– Adjust how you work with those vendors so that you are compliant;
– Review your own terms of service/terms of use and privacy policies, and update them as necessary to list your actual practices and simplify the terminology;
– Assign the role of GDPR Project Manager to someone in your business to handle Right to be Forgotten, Data Portability, etc. requests;
– Cut what your collect — the data you store about consumers should be only what’s necessary for your business;
– Ensure that all of your data collection forms have a prominent link to your privacy policies; and
– Notify site visitors about your cookie collection practices, and provide an opt-in, rather than an opt-out.
If you’re an enterprise business or scaling at full speed, you’ll likely need the additional help of technology firms, auditing companies, and a law firm experienced in privacy.
If you’re truly not worried about the GDPR after reading this article, that’s cool. Wait until you hear about the CCPA . . .
.
.
.
[1] Subject to some reasonability requirements.
[2] Grandpa’s Famous BBQ is intended to be a fictional business. We apologize to all the Grandpas in Memphis selling BBQ to foreigners — we don’t mean to suggest that you are violating the GDPR. Your BBQ is probably amazing. We’d love to try some, and please email us directly for our catering order.
[3] Give or take some inflation.
About RVL®
Rockridge Venture Law® is a certified B Corp law firm embracing the mantra of technology lawyers for good. Rockridge® services include corporate, intellectual property, litigation, M&A, privacy, technology, and venture capital law. Rockridge has been recognized as a B Corp Best for the World and Real Leaders Top 150 Impact Company, and has been featured by Conscious Company Magazine, Forbes, and other top media focused on industry leaders in impact and innovation.
The Rockridge team has worked with Grammy winners, Nobel Prize winners, and world champion athletes to create and monetize distinctive intellectual property assets. Rockridge clients include founders, investors, and multinationals scaling disruptive technologies and iconic brands. Rockridge is headquartered in Tennessee, with satellite offices in Durham, New Haven, and New York.
We’re Building Today’s Company for Tomorrow’s Economy® by leading clients through the dizzying array of information controls, by helping them to develop and monetize proprietary assets, and by enabling their impactful products, programs, and principles.
See case studies on how we’ve helped transformative companies at Rockridge Case Studies.