In preparation for the upcoming May 25, 2018 General Data Protection Regulation (GDPR) compliance deadline, I’ve compiled a list of FAQs on the application and scope of the updated GDPR to help you understand how GDPR applies to your business and what steps you need to take right now to ensure that your business is GDPR compliant. The GDPR coming into effect on May 25 replaces the Data Protection Directive, officially Directive 95/46/EC, which came into force in 1995. This means that GDPR is the first major change to data protection and privacy laws in Europe in over two decades. Considering how much the Internet has changed in the last 20 years, it is no wonder that GDPR comes with many changes and updates to past privacy laws that we’ve grown so accustomed to over the last two decades (which for some of us is an entire lifetime). Learn more about what you need to do to stay compliant through these frequently asked questions about GDPR and how it applies to you.
What is GDPR and what’s all the buzz about?
The General Data Protection Regulation (GDPR) is a new European Union (EU) regulation on data protection and privacy for individuals within the EU. Its purpose is to give more control to EU citizens and residents over their personal data collected over the internet. It was adopted on April 27, 2016 with a two year transition period, and becomes effective on May 25, 2018.
Since GDPR is the first update to data protection and privacy law in over two decades, it understandably introduces many new changes and updates to current privacy laws that we have grown so accustomed to over time. This has sparked fear and anxiety in online business owners, but its intent is not to intimidate but rather to give consumers an extra layer of protection over their personal data.
Although born in the EU and designed to protect EU residents’ and citizens’ privacy, GDPR has caught the attention of internet marketers, online entrepreneurs, bloggers, and anyone else with an online presence from all over the world because the scope of GDPR actually extends beyond only those individuals located in the EU. In fact, GDPR applies to anyone from anywhere in the world who stores or processes personal data from any individual in the EU. With the wide reaching nature of the internet these days, it is nearly impossible to limit the use of your website to only those outside of the EU (unless you apply specific geo-blocking features and risk losing a big chunk of your customer base), and for that reason, GDPR in practice applies to just about everyone around the world with an online presence.
What is personal data, and what constitutes storing or processing?
Great question. Let’s break down the rule a bit further. Personal data refers to any data that can be used to identify an individual. For example, an email address would be sufficient in most instances to identify an individual, as would a phone number, physical address, social security number,… you get the idea. Storing and processing also have pretty broad meanings and basically refer to any data you collect on your site, whether via a pop up box, questionnaire, or any other way, and store inside your database.
In order to process personal data, you must have what is called a “legal ground for the lawful processing of personal data.” There are six legal grounds for lawful processing of personal data as provided by the GDPR guidelines, and #1, 2, 3, and 6 will be relevant to you:
1. Consent. The user must give clear affirmative consent for you to process their personal data. This means they must have entered their personal data into your system, or checked a box consenting for their personal data to be processed. You cannot simply take an email address you had from a user 10 years ago, put it in your current email list, and include an “unsubscribe” button in your email. You have to get affirmative consent from your users to have their personal information in the first place.
2. Contractual necessity. You’ve already entered into a contract with your user and are required to process their personal data as part of the contract. For example, if someone fills out an application to become one of your coaching clients for your online coaching business, you do not need to obtain separate permission to process the personal data they sent you in their application form.
3. Legal obligations. You’re required by law to process their personal information. For example, when you hire an employee, you’re required by law to obtain personal data from them, such as their social security number, so you can prepare a W-2 form for them at the end of the year for purposes of filing their taxes.
4. Vital interests. You are required to process your user’s data as a matter of life and death. This is more applicable to hospitable systems, for example, and will likely not be applicable to any of you reading this.
5. Public interest. You are required to process your user’s data as a matter of public interest. This also will likely not apply to any of you reading this post.
6. Legitimate interests. You have to have a legitimate interest in processing the user’s data. There isn’t much guidance out there about what exactly constitutes a legitimate interest, so at least for the time being it can be interpreted pretty broadly. The key here is to make sure that whatever legitimate interest you claim to have in processing your user’s data is not outweighed by the importance of protecting that user’s data privacy. So as long as you can justify having some reason to process your user’s data for a particular purpose and that purpose isn’t overshadowed by some bigger purpose to keep the user’s data private, you have a legitimate interest in processing their data.
If, after going through this list, you’re still unsure as to whether you have a legal ground for processing a user’s data, think about it from a more practical standpoint: put yourself in your user’s shoes and ask if you would feel comfortable with having your data processed through your site. Would you expect to receive email communications from your business? If yes, continue. If no, stop.
I’m not in the EU. Does GDPR apply to me?
Yes, it very well could. Anyone who processes any personal data online from EU residents and citizens is subject to the GDPR. Personal data can include a name and email address, cookie information, or IP addresses. The most common ways I have seen personal data collected online is through pop up email collection boxes, or through third party providers like Google Analytics or MailChimp that track users’ cookies on third party websites. That means if you use Google Analytics to monitor visitor statistics for your website or blog, and even one of your website visitors is in the EU, you are subject to GDPR because your users are subject to having their cookies (i.e. personal data) tracked when they visit your website.
At this point, you may wondering, what if I don’t actively promote my website to users in the EU, but one of them happens across my site by no doing on my part? GDPR would still apply. That’s why I recommend everyone with an online presence to ensure they are GDPR compliant because the wide reaching nature of the internet these days makes it nearly impossible to ensure that users from a certain region are categorically barred from entry onto your site. Of course, if you wish to apply a geo-block to the entire EU region, you can do so and not have to deal with GDPR at all, but most business owners would probably not choose to go that route as it could substantially limit their customer base.
I don’t want EU customers, so I’m going to geo-block the entire EU region. Does that mean I can forget about GDPR?
Not so fast. You really want to think this one through. One reason you may want to consider being GDPR compliant even if you do not plan to promote to an EU audience is that other companies/brands outside the EU may not want to work with you unless you’re GDPR compliant. For example, say you have a VA business where you help clients map out and organize their email lists. Since your client’s email lists (which contain personal data) will be transferred to your hands, if your client has any data belonging to anyone in the EU, they will want to know that you are GDPR compliant. Thus, even if your client is based in the U.S. and you have the entire EU region geo-blocked from even reaching your site, your U.S. based client may not want to work with you if they have any EU users and you are not GDPR compliant.
What’s the punishment for violating GDPR?
By failing to comply with GDPR, you may be fined up to €20 million or 4% of your worldwide turnover from the last 12 months. Since it would be impossible for EU regulators to audit every single business out there, realistically, the only way you’ll get on EU regulators’ radar is if they receive complaints about your business. But remember, all it takes is one snitch to rat you out, so it is a much better idea to be compliant with GDPR from the get go and not have to worry about what might happen to your business should it be investigated down the line.
But I’m not located in the EU. Can EU regulators really fine me?
Maybe not. However, as discussed above, not being GDPR compliant may result in your reputation being tarnished and loss of profits from clients not wanting to work with you because you’re not GDPR compliant. GDPR compliance reaches multiple levels, so simply zeroing in on your clients isn’t enough to make a decision to ignore GDPR; you need to think about your client’s clients and their clients as well.
Ok, so what should I do to be GDPR compliant?
If you’ve made it to this point, I applaud you for taking your business seriously by taking the time to try to get a better understanding of GDPR. This is the new wave of internet privacy regulations, and as online entrepreneurs, bloggers, and internet marketers, you need to have a strong understanding of GDPR so you don’t wake up one day down the line and realize how much damage has been done on your business because you decided to ignore GDPR way back when.
Hopefully my answers to some frequently asked questions about GDPR and how it applies to you gave you a better understanding of what GDPR is and what actionable next steps you need to take in your business to ensure GDPR compliance. Despite how long this post is, it is only an overview of GDPR and hasn’t even begun to dig into some of the nitty gritty nuances of GDPR. If you have any questions, please leave them below, and if you need GDPR compliant templates, send me an email at firstname.lastname@example.org letting me know what you need, and I’ll be sure to send over the link when they’re ready for purchase!