The GDPR or General Data Protection Regulation is a regulation that is designed to provide control to individuals over their personal data and to provide simplification of the regulatory environment for businesses operating in the European Union by combining regulations related to data protection and privacy within the EU. The regulation also addresses the export of personal data outside the EU. If the regulation applies to you compliance begins May 25, 2018.
You may be asking why you should care, this sounds like an issue for individuals and companies doing business or living in the European Union. The problem is that this new regulation applies to all foreign companies processing data of EU residents. Even though you don’t operate in the EU you may have an individual or company form the EU access your website. Even if you have only one customer for which you are processing, storing or using data and that customer is an EU citizen your company will be subject to citations and accompanying fines for not complying with the regulation. The fines can be as high as 4% of global revenue.
The regulation is drafted to exempt companies with a general internet presence that are not targeting EU residents. However, it does apply if the company offers goods or services to EU residents or monitors their behavior. While you may be able to avoid compliance by simply not actively offering services to EU residents the chances of doing so accidentally are quite high, especially in primarily english speaking EU countries. If the web pages is in the language of an EU country and there are references to EU customers the page would be considered targeted marketing ad would be subject to the regulation.
An important aspect of this regulation is the lack of a financial transaction requirement. To be included in the compliance requirement you don’t have to make a financial transaction you only have to collect date. So a simple survey or allowing a login from an EU resident or citizen is enough to be covered and require compliance.
If you read all of that and are thinking “How do I just not deal with this?” there’s a company called GDPR Shield that will simply block all European Union IP addresses. What is unclear is whether the us of a VPN (Virtual Private Network) which can mask an IP address exempts a company from compliance. Does a EU user that uses a VPN to appear to be a U.S. user create a compliance requirement for a U.S. company?
Another issue is how the EU plans to enforce these provisions in the U.S. given that they likely lack jurisdiction to do so without additional activity in the EU. The EU has already stated that it will “forgive occasional U.S. offenders”. Which is in my opinion an arrogant way of admitting they can’t possible enforce this regulation against U.S. companies with no physical presence in the EU since they lack jurisdiction.
For more information see the links below or contact us to arrange a consultation:
General Data Protection Regulation
Guide to the General Data Protection Regulation (GDPR)