With one week left before the EU’s General Data Privacy Regulation (GDPR) takes effect, we have been fielding a lot of questions about how, or if, it applies to businesses here in Lancaster. Here are three questions to help you determine if you should worry about the GDPR.
- Who does it apply to?
It is easy to think that businesses here in the U.S. need not worry about the EU’s data protection laws unless you have stores or employees in Europe. But the GDPR’s reach is much broader than that. If you have the data of an EU citizen or use a service located in Europe, then the GDPR probably applies to you. Here are a few examples where the GDPR applies:
- You send email blasts and some recipients are in England (yes, England is still in the EU… for now!).
- You have a digital list of mailing addresses to send out physical mail and some recipients of that mail are in Italy.
- You use an online marketing service that processes your clients’ data on servers in Germany.
- What data is protected?
Okay, okay. So I have contacts in the EU on my mailing list. But names and addresses aren’t protected, right? Wrong. Unlike many U.S. laws, such as Pennsylvania’s Data Breach Notification Act, the GDPR is very broad in its definition of protected information. For example, under Pennsylvania law you need a name combined with some sensitive piece of data, like a social security number or bank account, before the law applies. But the GDPR applies to any identifying information. This includes names, email addresses, physical addresses, and social media names, plus all the sensitive stuff you would expect like financial and medical information.
- So what must I do with protected data?
The GDPR’s framework sets out a basic set of rights for all data subjects (the people whose data you have). You need to be prepared to honor these rights, including:
- Right to access – the data subject can demand a copy of what you have
- Right to rectification – you have a duty to correct inaccurate data “without undue delay” after the data subject tells you it is incorrect
- Right to erasure (also known as the right to be forgotten) – the data subject can tell you to delete their data
Beyond the rights of data subjects, the GDPR also mandates those who possess the data to do so appropriately. For example, if you give your customers’ data to a third-party to help send out email blasts, you need a written agreement in place confirming that third-party will comply with the GDPR and help you protect the information. Depending on the frequency you encounter EU data subjects, you may even be required to designate a “Data Protection Officer” to handle requests or appoint an agent within the EU to respond to governmental inquiries.
Does the GDPR impact your business? It’s not too late to prepare before the GDPR takes effect on May 25, 2018. But this summary is just the tip of the GDPR iceberg, so contact your preferred legal counsel for tech law issues today!