Today is May 25th, a day when creative entrepreneurs everywhere are scrambling to understand what GDPR (General Data Protection Regulation) is, why everyone is talking about it and what needs to be done to make sure their businesses are compliant.
Paige, an attorney for creatives from Paige Hulse Law, is joining me today for an interview all about GDPR and why it matters to your small business!
Photo by Callie Lindsey
What is GDPR and why does it matter?
Paige: By now, chances are you’ve heard that the GDPR is taking effect today, May 25th. If you have a business that “services” any citizen of the EU, then this law applies to you. The GDPR will have global influence. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you’ll need a GDPR notice and compliant consent measures.
The GDPR is a sweeping new security measure that is designed to protect the privacy of citizens in the EU, empowering them with control over exactly how their personal data is processed. This includes: how it’s collected, stored, and then used. You may be thinking to yourself “well that’s fine, but I don’t have any EU clients, I’m in the clear!” Not quite so. Do you have an email list with any EU members on it? Do you know if EU citizens have ever left a comment on your site, or if you have processed their information via Google Analytics? You probably can’t say for certain, so better safe than sorry. And while it’s admittedly a pain to acquaint ourselves with such a dense new law… it’s important to understand why this legislation is taking place: for the enhanced security of personal information online. Even though as it currently stands, the GDPR is an EU-specific law (and already adopted by the UK), I wouldn’t be surprised if this is just the first step of many that the rest of the world will take in processing online personal data. In a time when we hear about hackers creating serious data breaches or shady companies selling email lists, the GDPR is simply putting the power of protection of personal data security back in the hands of users.
A more practical reason why you should care? Noncompliance will mean you are liable for very, very hefty fines. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. Avoiding liability for these fines will primarily arise out of failing to obtain sufficient consent, or failing to abide by the procedures set forth below.
As a small business, do I need to abide by GDPR?
Paige: Simply put, the GDPR will govern how you may process the data of EU members. “Processing”, in this sense, can be defined as “doing anything with that data”. For you, this means that the GDPR will govern anything you do with the personal data you collect from EU users (by “users”, I mean users of your website). The period of governance applies to everything you do with that data from collection point to deletion point.
While the GDPR protects EU users, it applies to any business that collects personal data of EU users (more on that below). It doesn’t matter if you’re in the US, Canada, etc. It applies to any relationship, transactional or otherwise, where one party is geographically located in the EU. This could be either the website owner or the user- the only time the GDPR will not apply is when both parties are not located in the EU. For your purposes, just play it safe and assume that the GDPR applies to you. According to Article 2 of the GDPR, the only time it will not apply is when:
“in the course of an activity which falls outside the scope of Union law; by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; by a natural person in the course of a purely personal or household activity; by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
Basically, if you use personal data for any business-based reason, the GDPR applies. You will only be able to retain that data if you have a “legal reason”, or for something like tax purposes.”
If I do not get it right by May 25th, will I be fined?
Paige: The closer May 25th has gotten, the more I’ve gotten this question. Let’s just say, you’re not alone if the deadline snuck up on you as well!
There is a lot of fear-mongering surrounding the GDPR right now, and while yes, its a law you will need to comply with; no, you will not get fined if you are not in compliance on May 25th. I have a couple of things to say about this: first, we are all acting as if May 25th was the strict deadline (which of course it was); but what many businesses failed to realize is they were acting on the assumption that the May 25th deadline was based upon their time zone. I received more than 30 emails on the night of the 24th stating “action required to stay on my list”, etc. If we want to get technical about it, with the time zones factored in, it was already the 25th in the EU. I’m splitting hairs with this example to a certain degree, but I bring it up just to say if you are not 100% compliant by the 25th, EU officials aren’t going to come knocking down your door.
Second, I want to be clear when I say that this law is dense and somewhat vague, and many gray areas or gaps in the understanding of the regulation will have to be flushed out in court. These grey areas will, unfortunately, be clarified by companies much larger than ours (think, the Amazons and Facebooks of the world).
My point? This law is designed to protect the privacy rights of EU users around the world. It wasn’t designed to run small businesses into the ground- it was designed to prevent international giants such as Facebook from being sloppy with your personal data.
Do your best to comply, but don’t let the GDPR steal your peace of mind. Run your business with integrity, and when it comes to processing people’s data, do your best to be responsible, ethical, and transparent.
Another note- the US has not specified exactly how they will support the EU in implementing the fines that I mentioned above. We are talking about some very complicated international law jurisdictional issues. Therefore, while I’m not telling you to ignore these regulations- I’m just saying, don’t listen to any fear-mongers who are saying you’ll get fined if you’re not 100% in compliance by the 25th. It’s not true.
What steps should be taken to ensure compliance with GDPR?
Paige: I’m going to break this response into two parts: the first, things you need to do ASAP (as in, by the end of the day if you can), and the second, things you should put as a high, high priority on your business to-do list.
Photo by Molly Thrasher
As I mentioned before, the following action items are all high priority, but can be put on the back burner only until Part 1 is done!