You may have heard vague references to something called GDPR, short for General Data Protection Regulation, a robust set of digital privacy rules enacted last year in the European Union. So if it’s happening in Europe, how is it relevant in Wisconsin?
Why GDPR matters in the U.S.
The reason is simple: the world is shrinking. Businesses like Google, Amazon and Facebook, regardless of where they’re based, that process personal data about people in the EU must comply with GDPR. And if they’re changing their privacy policies for Europe, many find it easier to change them across the board—at least to some degree. (That’s why you’ve received so many privacy policy updates from companies in the past year.)
That means if your business has customers or processes data from anyone in the EU, you need to be compliant too. That’s a lot more Wisconsin businesses than one might expect. Think of all the people in the world, including Europe, who purchase goods and services from local businesses. From franchise owners and licensing partners to people selling on eBay and Etsy, GDPR is affecting both business owners and consumers all around us.
Even if you merely track cookies or IP addresses and someone from the EU visits your site, it’s conceivable you may need to comply—though it’s hard to imagine anyone taking the time to track you down or prosecute you.
A lot of it comes down to intent and how intentional you are about marketing to citizens in the EU. In WisconsinLawyer, Keith Daniels of CyberCounsel says if you answer yes to any of these questions, you probably need to comply.
- Do you list your product price in Euros?
- Do you have a .de, .fr, or any other .eu website domain?
- Do you have websites or send out catalogs in a language used in an EU country?
- Do you promote EU case studies or articles in your website?
- Do you have sales offices, operation centers, European phone numbers, or branches in EU countries?
- Do you regularly travel to conferences and shows in the EU to sell your products?
What are the GDPR rules?
GDPR has created a new standard for consumer data collection, including how companies manage and use it. The regulation is essentially designed to require more transparency from companies and give consumers more control over how personal data is used and by whom. The law is detailed in hundreds of pages of requirements. In general, GDPR gives consumers the right to
- Know what specific companies have data about you, how they use it and whether they share it with other organizations.
- Access and move your data.
- Erase your data in some circumstances.
The regulations affect all organizations that collect any personal information of any kind, even if only email addresses.
GDPR and data breaches
Another important component of GDPR concerns data breaches. If your company has data on European citizens and you experience a breach, you have 72 hours to notify a European agency. If that breach exposes those citizens to high risk, you must also alert users directly.
Additionally, you’ll need a data processing agreement with any vendors you use to process personal data to ensure they’re GDPR-compliant. Think email and survey platforms, cloud storage devices or web analytics software.
How can I be certain my company is GDPR compliant?
The GDPR official website outlines the rules for companies and the rights for citizens and offers a wealth of information about compliance. Experts say the best place to start is by conducting an assessment to determine what personal data you control, where it’s located, how it’s secured and whether it adheres to GDPR’s privacy principles. To ensure you don’t miss anything in your assessment—or in the steps you take to adhere—gdpr.eu offers a checklist for U.S. companies to help you secure your organization and protect your customers’ data, including:
- Conduct an information audit for EU personal data
- Inform your customers why you’re processing their data
- Assess your data processing activities and improve protection (see Data Protection Impact Assessment on gdpr.eu)
- Enter data processing agreements with your vendors
- Appoint a data protection officer (this applies mostly to larger organizations)
- Designate a representative in the European Union (see Recital 80)
- Have a plan in place in case of a data breach
- Comply with cross-border transfer laws
Another important step is to create and post online your privacy policy; gdpr.eu also offers a template to get you started.
By David Pierce, a business lawyer at Johns, Flaherty & Collins, SC. For more information about Wisconsin business laws, call him at 608-784-5678.