In the last few days, we have all been inundated with emails about GDPR from organisations who had somehow secured our email onto their mailing list. What on earth is that about? If you still don’t know and want to know, GDPR stands for the latest General Data Protection Regulation which comes into force today and applies to all European Economic Area (EEA) countries! For those who are caught in this (and if you think you’re not … do read on!), the complaint is that we haven’t had enough time. To be fair, we have actually had 2 whole years to implement this … But being the procrastinators that we all are, we don’t do anything about it until we HAD to.
Does GDPR apply to you even if you don’t live in an EEA country and your business is strictly local? I would say, there is a very high chance it does! Sadly for all of us, in today’s global economy, one piece of “tiny” legislation in a faraway land now affect all of us.
Let me explain why I say that …
What makes this particular piece of EU legislation so different? It’s about WHO it applies to. It applies to ANY business that processes personal data relating to EU citizens. No big deal. Unless you’re an EEA country, you probably think that you’re quite safe and it is nothing to do with you since you do not process data relating to EU citizens. Wrong!
Let’s take one step back and look at the definitions. Personal data is defined as ANY data that can be used to identify living person directly OR indirectly e.g. name, address, email address, location data, IP address. It is the “indirectly” that makes all the difference. Let’s say you have an e-commerce store on your website. You may decide to pass a transaction ID through you analytics software. Obviously, you cannot directly identify an individual within your analytics software from that transaction ID. However, cross-reference that with your e-commerce data and you can now indirectly identify that individual. GDPR also states that personal data that has been key-coded (like the transaction ID) can fall within the scope of GDPR depending on how easy it is to attribute the key code to a particular individual. Google analytics performs all sorts of useful analysis for us using the IP address.
The other way to look at it is … Your business is caught if:
- Your business has an office in the EU – Great! Not a problem. You just have to make sure that you do not sign any joint venture agreements with an EU resident.
- Your website targets EU customers e.g. by enabling people to order goods or services in a European language (other than English) or enabling payment in Euros – Again, an easy fix. Just make sure that your website is only in English or non-EU language and you do not accept Euros as payment.
- Your website mentions customers or users in the EEA – Again, a relatively easy fix. Just make it a golden rule from now on that you do not ever mention EU customers or users in your blogs or social media accounts.
- Your business tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes – THIS is the catch-all that very few will be able to avoid since Google Analytics, Facebook, etc do this.
Remember – we now do business in a global environment. If you use any form of cloud software at all, the chances are you have interactions with the EU. For example, platforms such as Facebook operate out of EU, UK and USA (just to name a few), Dropbox is a US operation. If you have a website, there’s a good chance that this is hosted in the USA or EU. If you have a “Contact Us” box on your website, then you have the potential to receive enquiries from anywhere … including the EEA countries. If you happen to go to a networking function, and you’re introduced to an EU resident who hands you his or her business card, then you have “personal data” that allows you to identify that EU resident. Even emails are not exempted from the clutches of GDPR. A person can be identified by their email address. Therefore, holding that email address means you can identify an EU resident and your business is caught!
Penalty for non compliance is up to €20 million OR 4% of your business worldwide annual turnover … Whichever is the greater! Will this ever be applied? Who knows? My belief is that nothing will happen until something goes wrong – then the might of the EU will pick some poor unsuspecting soul who cannot afford to fight them and make an example out of them. My question to you is … Do you want to be the test case?
As for Equipped 4 Success, we have ensured that we comply with GDPR. Our Privacy Notice has been updated to take into account the GDPR additional requirements. You can choose to ignore this – but I strongly recommend that you at least have a listen to the video by Suzanne Dibble. It is 2.5 hours long. As a minimum, listen to the webinar and then make your own risk assessment as to whether you can ignore GDPR or not.