If you have not been moving towards understanding and compliance, what you have left is pretty late in the game for a good result.
The basic premise of the GDPR concerns how firms will handle personally identifiable information (PII) and how the notification of data breaches and data transferal will be handled.
One of the key aspects of the GDPR is extraterritoriality. The traditional view of this is that of a person or site that is not subject to the rules and regulations of the country in which it is currently located: for example, a diplomat or consulate. However, the Internet is an entity for which the concept of national borders does not exist. This is both a boon and a bane. It is a boon because if you are trading online, your customer base is potentially global; it is a bane because of difficulties regarding the underlying legislation concerned with transaction and post-sale obligations. This is in relation not just to PII, but to all aspects of consumer law, too.
Prior to the GDPR, it was almost impossible to apply EU obligation of privacy requirements to data controllers and processors outside of the EU. The only way that privacy legislation could be enforced was if the processing of data was performed within the borders of the EU. However, the GDPR circumvents this issue by changing the scope of extraterritoriality. Any non-EU organisation will fall within the scope of the GDPR if they are offering goods or services to individuals in the EU. For example, if a Chinese website offering widgets has support in English, French, German, or any other European language on their site; processes multiple orders a day from EU citizens; and then ships to them, that company must comply with EU standards of data protection, even though it has no establishment in the EU and is not performing any data-processing activities within the EU.
Such companies are treated as though their transactions were carried out on Tottenham Court Road, or Rue du Bac. Companies like Dropbox that offer free cloud storage must comply with the GDPR, as the regulations apply to information regardless of the commercial aspect. Free or paid for, it is still under scope. Social media is also covered; if your platform, or Minecraft server, has EU citizens registered, you fall under scope.
The GDPR will offer a high level of protection to individuals in the EU whose data is processed by organisations that are established outside the Union. The first thing to understand is that this legislation is enforceable in your non-EU jurisdiction There are very few, if any, caveats. The US government recognises this and has changed the US-EU Safe Harbour program. eTrust was not stringent enough and has been replaced with Privacy Shield. This has already forced US companies to alter the way they deal with PII concerning EU citizens. It is important to remember that the vast majority of countries have far more stringent privacy laws than the US.
What Can I Do?
Seven quick steps:
- Determine whether you’re a controller or a processor: Data protection is protection split into two roles: a controller and a processor. Both parties are liable for data subjects’ data protection. This does not have to be two individuals, but it is necessary to understand the terms and roles.
- Audit your data: This should be a must anyway, as it will delete stale records, but you need to work towards a single record of truth. This will be needed if you receive a forget order.
- Work with your legal team and GDPR experts to determine which EU member state will be your supervisory authority: There is a requirement to appoint a representative for your company. This person is the point of contact for all communications with the GDPR supervisory body. There are plenty of options.
- Appoint a data-protection officer: This is not a requirement; however, it may be wise. Confirm that this person has the necessary expertise.
- Make sure that your consent and disclosure policy is front and center: It is a requirement that EU citizens have the ability to select and decline those policies. You also need to be able to track and comply with their choices.
- Audit your third-party providers: Remember that if your provider is unable to confirm GDPR compliance, any work that it does on your EU data is unlawful.
- Consider data locality: If you have a large number of EU customers, consider splitting out that data to an EU-based cloud instance or data center.
It is important for all companies to evaluate whether these new obligations will apply to them and, if this is the case, to take prompt action to ensure that they are compliant. Remember that you will have to lie in the bed you make, so be sure to make it comfy!