With the GDPR making headlines in Europe, not enough has been said about the new regulation applying to non-EU companies. European General Data Protection Regulation will come into force on May 25th 2018 and is already well-known for introducing high revenue based fines. Its main goal is to protect the EU citizens in their presence within the business processes including marketing, profiling and behavior monitoring. The Regulation introduces new approach to data protection in several areas, starting from the definition of personal data itself, but what is most important to you and your non-European company, focusing on increased territorial scope. The GDPR was designed and adopted by the European Union to protect the privacy of its citizens. Therefore, it applies also to non-EU controllers and processors of data. If you are offering goods or services to customers in the EU, if you process or monitor their data, it’s about time you start preparing for the new law.
What do you need to know?
According to the GDPR any information that can be used to directly or indirectly identify a natural person is defined as a personal data and is subject to the Regulation. This includes not only names, e-mail addresses, photos and work details, but also certain online identifiers such as cookies and IP address.
The GDPR shifts the control back to the consumer, introducing clear obligations to the business. First and foremost, there are strict rules on how to obtain consent for data processing and profiling. The consent must be freely given, specific, informed, and unambiguous, given for a specified reason. This provision delegalizes all common ways of hiding consent in long and complicated lists of terms and conditions or a forceful „agree to proceed” buttons. What’s more, the possibility to withdraw consent must be as simple as the way it was provided. The controllers are obliged to inform which data are being held and how they are being processed. They should also introduce procedures to fulfill the rights of the consumer to access and transfer the data, object to processing certain part of them or erasing all the data - based on their right to be forgotten.
As mentioned above, the GDPR is the first European regulation to name and regulate the process of behavior monitoring and profiling. Clearly, this will affect certain services provided by Facebook and Google and may change the way you look at marketing and business analysis in your company.
Privacy by design and breach notification
The GDPR is a type of general law which shifts the responsibility of policy adjustment to the business owners. As it doesn’t provide specific provisions on how to guard the privacy of the consumers, it requires the owners to design and apply a security system which is tailor made to the characteristics and risks of the actual data processing in their company. The GDPR specifies, however, that the controllers are obliged to notify the appointed institutions of any accidents of personal data breach within 72 hours. What’s important for a non-European company is that they will need to designate a representative in the EU who will act on behalf of the controller or processor and will be responsible for accidents of breach or non-compliance.
For a non-EU company it is also important to follow the provisions with regard to international data transfers. In order to ensure the accurate level of protection of personal data, the Regulation outlines restrictions on transferring information outside the EU. This includes standard contractual clauses and binding corporate rules.
What applies to all businesses which are subject to the Regulation are significant fines, upto 4% of annual turnover and EUR 20 million, which will be imposed according to the scale of breach or non-compliance.
Why does it apply to companies outside the EU?
The GDPR is there to protect the EU citizens, so if you collect personal data or behavioral information of an EU citizen, it does apply to you. What’s important is that it will apply to any company offering goods and services to individuals in the EU, regardless whether the goods are free or not. In practice if your website which is offering products comes into interaction with an EU citizen, if you’re a cloud service provider, or your company collects personal data even without any financial gain, you are subject to the Regulation.
How to prepare?
It may occur that your national law has already required you to protect the data in a manner compatible with the European law. However, keep in mind that it may not cover all the GDPR provisions, so if you’re planning on keeping your European clients you must be prepared for redesigning and adjusting your business model. Remember that fines will reach you even when you’re based outside the EU.