Does your small to mid-size enterprise or start-up company handle the personal information of European Union (“EU”) citizens? Do you have plans to expand your business to handle a wider range of customer personal information in the future? Listen up, because missteps in complying with data privacy laws have huge consequences. Just ask Big Tech. Failure to comply with transparency and notice requirements/obtain consent for ad personalization cost Google approximately $57 million dollars (fines for infringing certain provisions under GDPR can be up to the GREATER of 20 million Euros or 4% of worldwide revenues).
The EU’s General Data Protection Regulation (“GDPR”) regulates the use of its’ citizen personal data, including control over the export of EU personal data to countries outside of the EU. Implemented in May of 2018, GDPR simplified the EU’s previously fragmented data privacy landscape into a single powerful force. After Google’s recent fine, it’s safe to say that U.S. businesses have a reason to pay close attention to this new regulation.
Under GDPR, both data controllers and data processors suffer the consequences of failing to comply with GDPR. Controllers determine the purpose and means of processing personal data. Processors process personal data on behalf of controllers. For example, if Company A is selling something to consumers and determines the purpose and means of personal data processed and Company B is providing a service to consumers on behalf of Company A, Company A is the controller and Company B is the processor.
Joint control of personal data exists where two or more controllers determine the purpose and means of data processing (joint control leads to joint legal responsibility). It’s increasingly important to understand how your business partners are handling personal data. If a company you are doing business for or with is unable to explain their data processing habits in a clear and simple way, assume they will be unable to do so for consumers (a key requirement under GDPR).
Aside from being choosy about business relationships, what can you do to avoid GDPR fines?
- Consider the many ways your company might become subject to GDPR. Do you have an employee in the EU? Do you target ads to the EU? Have you collected emails that end in “.uk”? Plan to understand and comply with GDPR requirements.
- If your company holds data on more than 50,000 people and does business in California, be mindful California passed its own version of GDPR via the California Consumer Privacy Act of 2018.
- Understand the nature of all the data your company is collecting from consumers. Take prompt action to address the handling of any sensitive data. Be ready to explain the processing details for every type of personal data; however, be especially ready to explain how you process anything particularly invasive.
- Be transparent (concise, clear, and plain language accessible by the average audience member of the target audience) about the way any personal data is used and ensure consumers understand their rights over your company’s use of their data. Keep communication to the consumer simple, this is not the time for complex legalese. Provide the information all at once in a single location.
- Once you’ve determined the personal data you control or process and ensured your consumer has full understanding of how you handle that personal data, you still need to get unambiguous and clear consent from the consumer for the use of his or her data in exactly the way you intend to use it.
After California’s passing of its own version of GDPR, it remains to be seen whether the U.S. ends up with federal legislation in alignment with GDPR or a patchwork of state laws layered on top of GDPR requirements. Companies need to plan for growth and act now with the type of forward thinking required to ensure an easy transition into the modern state of heightened awareness (and heightened consequences for mistakes) surrounding data privacy.
If you have any questions about this post or any other related matters, please email me at firstname.lastname@example.org.