How Do the EU’s Data Protection Rules Affect My US Business?

Posted March 21, 2019 • 7 Minute Read

With data breaches and mismanagement all over the news in the last few years, more and more legislation is being introduced to combat these problems. You may have heard about something called the GDPR, a regulation that went into effect in the European Union in 2018. Essentially, any business with EU users or customers is now subject to some pretty strict data protection regulations.

Have a website with EU users or a retail shop with EU customers? You’re subject to these regulations. And even if you’re not yet directly affected or subject to these rules, it’s pretty likely that the rest of the world will soon follow in the steps of the EU—meaning now is the time to start making changes.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation that aims to better protect the data of EU residents. The GDPR sets limits on data collection and gives EU residents more control over how their own data is used. Any business—even businesses outside the EU—must adhere to these data protection rules if their “data subjects” (users or clients) are EU residents.

The GDPR is quite long (containing nearly 100 articles), so it can be daunting to try to make sense of it all. However, the biggest concerns for businesses affected by the GDPR primarily include the following:

  • data subjects must be informed of—and consent to—what data is collected and how it’s used
  • data subjects must be able to access their data upon request and request error corrections
  • data subjects must be able to move or transfer their data to other companies (“controllers”)
  • data subjects must be able to withdraw consent for data and request their data be deleted
  • data collected must be limited to what’s relevant, adequate and necessary
  • personal data must be adequately secured and shouldn’t be stored longer than necessary
  • data breaches must be promptly reported

While becoming completely EU compliant can be a huge undertaking, there are a few initial steps you can take to help begin the transition. Even if you don’t expect any EU data subjects in the near future, your customers are your lifeblood—and responding to the increasing desire for customers to have control over their data is good for businesses and customers alike.

Identify your data practices

  • Collection: First of all, what sort of personal data are you collecting? Of course, there’s data that a customer or user provides themselves, like comments, contact information or credit card information. However, there’s also other data that your business may collect as well, particularly from online users. For instance, you may track information such as a user’s IP address, browser type and usage habits.
  • Processors: Who is processing all this data? Some data you might process yourself while third parties—such as credit card processors or website plugins—might process other data. You’ll need to ensure that any third-parties that have access to customer or user data are also compliant with data protection laws.
  • Processing: What do you actually do with all your data? Is the data collected used to verify customers’ identities or send service messages about their account? What about analytics? Marketing?
  • Storage: Where is all of this data stored? How is it organized? Is it easy to retrieve? How long is it kept?
  • Protection: How do you—and any third-parties—protect data? In addition to encryption and anonymization, consider your company’s people and processes. For instance, within your business, how many employees have passwords, keys or other means of data access? Are sensitive but unnecessary files regularly deleted or destroyed?

Create a privacy policy

Once you thoroughly understand your data practices, you can create a privacy policy. Under the GDPR, clients have the Right to Be Informed. In other words, your clients need to know what personal data is being collected and how and why it’s processed. This is information is primarily communicated through a privacy policy.

A privacy policy should spell out everything related to personal data collection, processing, storage and protection in clear, easy-to-understand language. No confusing legal lingo. No epic paragraphs with important info buried inside. And, whenever you request consent for data, refer or link to your privacy policy.

If this sounds difficult, remember that businesses in the 28 EU countries now all have privacy policies like this—so there are plenty of models out there to help you get started.

Give an opportunity for clients to accept data practices

According to the GDPR, consent for data collection must be active, not passive. This means that customers or users must actually perform an action to show consent, such as ticking a box that says “I Agree.”

So, it’s not enough to just add a few lines to your Terms of Service saying “by using this site or service you agree to be bound by this agreement…” It’s not enough to provide only an “opt out” from data collection. You can’t even pre-select the tick box—the customer or user must tick their own box. And, after opting in, it must be just as easy to opt out later.

What does this look like in action? Since the GDPR went into effect, you’ve likely come across numerous examples of opt-in consent. When you go to a website that uses cookies to collect personally identifiable data, you get a pop up. When you subscribe to an email newsletter, every automated email has an option to unsubscribe. When you fill out an order form to buy a product online, you’ll see a link to the privacy policy. Users tend not to pay much attention to these sorts of details, but once they’re on your radar, it’s easy to notice how companies are responding to the need for informed, active consent.

Ensure you can respond to potential data requests

There are several major data-related requests that may come up after you’ve collected data from clients or users. You might get a request for data access or correction. Or, you could get a request to withdraw data consent or move data elsewhere.

You’ll need to be prepared to respond to these requests quickly. For instance, under the GDPR, businesses only have one month to respond to data access requests. This means your business needs the following:

  • Clearly organized, minimal data storage: You don’t want personal data to be in a hundred different places.
  • Systematized data retrieval: You also don’t want to have to manually pull together bits and pieces of data each time you receive a request.
  • Sufficient staff to oversee and manage data requests: Even a well-automated system will need human oversight, particularly for data correction requests.

Hire a Data Protection Officer (if needed)

Speaking of human oversight, your particular business may require a dedicated Data Protection Officer (DPO) for GDPR compliance. You’ll need a DPO if your primary business activity is related to data-processing or if your business requires “regular and systematic monitoring of data subjects on a large scale.”

What exactly does a DPO do? DPOs ensure compliance with data protection rules and are a point of contact in the event of a data breach. Lawyers and others with strong legal backgrounds are common choices for DPOs.

Create a data breach response plan

No one wants a data breach. Not only is it a PR disaster, but customers or users will be (rightfully) angry. This is why businesses often make the poor decision to ignore, cover up or delay reporting a data breach. However, the longer data is compromised, the more damage can occur.

The GDPR requires that once a personal data breach is discovered, it must be be reported within 72 hours to the Information Commissioners Office. The fine for failing to report a data breach is substantial—20 million euros or 4% of annual global turnover from the prior year (whichever is greater).

Again, even if you don’t have any EU users or customers, 72 hours is a good timeline to follow for your own data breach response plan. For instance, a plan could include a list of steps to take within the first 72 hours, such as investigating the incident, identifying the affected data, informing any regulators, and notifying affected users or customers.

Embrace change

Overall, it helps to consider the shift towards data transparency as positive. Yes, it will likely be somewhat inconvenient and expensive to implement GDPR compliant policies initially. However, developing data policies that better match the growing desire for people to control their own data will ultimately benefit your business.