EU’s strict GDPR regs are a €20-million risk to your business. (Don’t say we didn’t warn you.

Reprinted from our March 28, 2018 News Fetch

Plus, here are a few links News Fetch has published since then:

• Consumers will severely punish you if you fail to protect their personal data. These are the top 10 ways
• NEWS FETCH — May 18, 2018 … Marketers see GDPR paring their email lists but improving results
• NEWS FETCH — May 17, 2018 … A practical guide to the European Union’s GDPR for American businesses
• NEWS FETCH — May 15, 2018 … Google’s go-it-alone approach to GDPR rankles publishers
• NEWS FETCH — May 14, 2018 … Publishers, ad tech firms scramble to comply with GDPR
• NEWS FETCH — May 7, 2018 … What Europe’s tough new data law means for you, and the internet …
• ALSO on May 7… Worried about GDPR? Just build radically private software
• Today’s Daily Data: The EU’s strict GDPR privacy rules start TOMORROW! These are the items users most want you to delete.

---

IF You have visitors from the European Union, AND You save ANY personal information (including data in many cookies), THEN You must comply with the GDPR by this May 25 …

… OR Face fines of up to €20 million or 4 percent of your global revenues.

WTF is GDPR?

GDPR  is the EU’s General Data Protection Regulation which puts big sharp teeth into the protection of personal data.

 

Currently, Facebook, Amazon, Google,  and other companies large and small (undoubtedly yours as well) feel that they own the data collected about customers, website visitors and other sources like emails.

 

GDPR turns that on its head and mandates that the user owns their data.

 

This means any personal data whether from:

 

• website visitors (tracking cookies),
• subscribers to blogs, podcasts, news releases,
• people who receive emails (especially from services like MailChimp),
• click on web ads (like those served up by ad services like DoubleClick).

And because the user owns their data, it means that companies must ask permission before gathering and ask permission before using.

What are you going to have to do?

This excerpt from HIPAA Journal lays it out:

 

The rights afforded to EU citizens and the major GDPR requirements for US companies include:

 

• Ensuring data is only collected when there is a legal and lawful reason for doing so.

 

• Obtaining consent before personal data is collected, stored, or processed.

 

• Obtaining consent from parents or legal guardians before children’s data is collected or processed.

 

• Implementing controls to ensure the confidentiality of data is safeguarded.

 

• Training employees on the correct handling of personal data.

 

• Ensuring EU citizens’ right to be forgotten can be honored and that it is possible to permanently erase all collected data.

 

• Ensuring EU citizens are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA.

 

• Making sure data transfers across borders occurs in accordance with GDPR regulations.

 

• Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data.

 

• It may also be necessary for organizations to appoint a Data Protection Officer. That individual must have a thorough understanding of GDPR requirements for US companies as well as the infrastructure and organization of their company

 

Google’s taking GDPR seriously … but their changes may not be enough

Google — which owns DoubleClick and serves more ads via AdWord than any other company in the solar system announced last week that  it was making “Changes to our ad policies to comply with the GDPR.”

 

However, this article from PageFair (affiliated with Adobe) cautioned that the approach was only a partial compliance.

 

Thanks to GDPR, Facebook’s problem is now YOUR problem — only more immediate

While the U.S. Federal Trade Commission and Congress do their usual dithering about what to do about Facebook, the EU started working on this three years ago and have redefined ownership of personal data.

 

Facebook will spin and dance, apologize, agonize and sanitize things in the U.S. a bit over the coming months … maybe years. But when it comes to the EU, the big teeth will start to bite, and bite often.

 

Obviously, the more EU web visitors and customers you have, and the more data you collect, the bigger the bulls-eye painted on your business.

What can the EU actually do to you?

This article (GDPR Compliance Requirements and Implications for US Companies) tackles that issue:

 

“[C]an the European Union impose a fine or penalty on a US or otherwise external organization?

 

“The simple answer is yes, although the extent of the penalty and how it is enforced will be dependent on many factors, such as:

 

• local due process
• current unilateral trade agreements
• whether you are exclusively based in the US or have an EU presence
• or whether you have a presence in a country outside of the EU, but which has strong ties to the EU through trade agreements

 

“But yes, the simplest way for the EU to impose a fine or penalty on a non EU-based company is to use local data protection regulations.

 

“Increasingly, GDPR is being seen as the standard model for other countries, so you may find yourself subject to local rules based on GDPR compliance principals that impose even greater restrictions and penalties. In other countries, the primary route for ensuring compliance and enforcement will come from the Data Protection Authority.”

 

It is not out of the question that the U.S. or some of its more activist states like California might pattern a set of laws after GDPR.

 

This article: GDPR: How is it Different from U.S. Law & Why this Matters? offers deeper insights on possible issues and consequences.

 

What Does GDPR Mean for Marketing?

This article from Hubspot examines how marketing and sales have to back off on “Big Data Targeting.”

Two more articles of note

• WTF is GDPR?
• Blockchain technology is on a collision course with EU privacy law