What is GDPR?

Diving into the legalese of GDPR isn’t what we call enjoyable reading, so let’s break it down a bit. GDPR stands for General Data Protection Regulation. It was created in the European Union and rolled out on May 25th of 2018 (happy belated birthday GDPR!) to protect the data of EU citizens, but it has a global impact despite being an EU law. 

GDPR gives individuals more control over their own personal data online. This is extremely important because personal data is a trillion-dollar industry! That’s with a T trillion! With control of your data put back in your own hands, GDPR takes that power away from big companies like Facebook and Google (in theory), who deal heavily in the massively profitable personal data market. 

What is personal data? 

Person data covers a lot of information. Contact information, device details (IP addresses, location data), bank account, ID numbers, social media posts, geotagging, personal health information, race, and even your opinions, videos, and photos posted to social media are considered personal data. 

These elements put together paint a picture of you online. So it’s a pretty big deal to take the power away from those who profit off of selling personal data. 

What happens if GDPR is violated? 

Fines. To be exact, up to €20 million ($23 million) or 4% of annual global turnover. Yikes, right? Well, it’s proven to not be that big of a deal to the really big players, like Google, who was served a $57 million fine, which they probably found in their couch cushions. If nothing else, it’s bad publicity to get slapped with a GDPR fine, and hopefully will persuade companies to be more careful with user data and more serious about data security going forward. For smaller companies, a GDPR fine could be potentially financially devastating. So let’s talk about how to avoid such devastation!

What is GDPR compliance & why is it important?  

Business owners that potentially have EU users, even just as subscribers to a blog or newsletter, need to be compliant with GDPR. 

In broad terms, compliance will include the following aspects:

  1. Collect data legally and use it ethically
  2. Collect as little information as possible
  3. Use trusted applications to protect any collected data
  4. Only store data as necessary

If you run a website that doesn’t collect any subscriber information or sell anything, you’re generally safe to be GDPR worry-free. 

GDPR Checklist

While this is not meant to be legal advice in any way, here’s what you need to become GDPR compliant:

  1. Data Protection Impact Assessments (DPIAs) 
    1. Check out the ICO’s comprehensive guide to DPIAs. 
  1. Data Breach Notifications 
    1. You have 72 hours to report a breach and must inform users ASAP. 
  1. Privacy Policies
    1. Termly has a privacy policy generator that can help you out in this area. 

The Future of Privacy Laws

We mentioned in our last blog that GDPR-like laws are popping up all over the place. The most mature of these laws come out of California and is called the California Consumer Privacy Act (CCPA), which has been dubbed California’s “GDPR lite”. It’s a new law that rolled out January 1, 2020, based on the EU’s law. (We’re currently in the grace period before the law is enforced, which ends July 1, 2020.) Let’s talk a bit about what to expect. 

CCPA 

Basically, CCPA defines who needs to comply a bit more specifically than GDPR, which is more broad in its compliance definition. CCPA also doesn’t give the consumer/user quite as many rights as GDPR. CCPA is weaker for the consumer/user in that it doesn’t force the company to get permission before selling personal data. It only has the company give you the option to withdraw your consent after the fact. 

The CCPA is not quite as broad as GDPR. This infographic lays out the differences between the two laws, and this checklist is extremely handy in sorting out anything you can think of when it comes to your questions about compliance with CCPA. 

CCPA Checklist

Becoming GDPR compliant is a good starting point for your compliance with US-based privacy laws because if you’re at a minimum GDPR compliant, you’ll very likely already be able to fulfill the requirements of CCPA. And just a reminder that this is in no way intended to be legal advice — chat with your legal advisors on that front if you have any questions. 

Here are the basics of who needs to comply with this law: 

Any organization that meets one of the following three criteria annually:

  • Earn revenues greater than $25 million.
  • Buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
  • Derive 50 percent of annual revenues from selling consumers’ personal information.

If you fulfill just one of the above criteria, you need to comply with the CCPA. Do head to this website for their checklist tool, and also go to the CCPA’s official site to get more guidance on what you need to do. 

Please do have a chat with your legal counsel if you have any specific concerns about your organization in regards to complying with any of the above laws. 

We at Crowned know the importance of understanding data privacy laws like the EU’s GDPR and California’s CCPA. In the shadow of the COVID-19 pandemic, data privacy is as hot a topic as ever. Despite all the media attention to GDPR, we thought it would be helpful to drill down into GDPR in the USA, especially since most small businesses aren’t confident that they comply with GDPR rules.

With more people than ever working from home, keeping data safe and in compliance with data privacy law is more important than ever. The European Union’s GDPR (General Data Protection Regulation), California’s CCPA (California Consumer Privacy Act), and Brazil’s LGPD are just the tip of the iceberg in the era of data protection. It’s important for anyone with an online presence to have a general grasp of these rules. 

Why should I care about GDPR in the USA? 

Being ahead of the curve is key here. GDPR is the headliner of the data privacy show, but we also have to be aware of the laws that have been inspired by GDPR. With the roll-out of California’s CCPA and Brazil’s LGPD this year, data privacy laws are just getting started. In the US alone, several states, including Nevada, New York, Texas, and Washington, are considering following California’s lead and passing their own data protection law. Canada and Australia have data protection laws in the works, too. So why not become GDPR compliant now to save yourself the headache in the inevitability of the deluge of GDPR-type law to-be?

If you have customers in the EU, you should care about GDPR!

GDPR impacts EU/EEA residents (data subjects) and any organization that processes personal data (data processor) of EU/EAA residents. GDPR is location-based, so it is dependent on where the data subject is located when their data is processed. Citizenship is not a factor; location is key here. 

The size of your business (aka the data processor), the number of employees, or the amount of revenue you make doesn’t matter to GDPR rules. If your business does at least one of the following, GDPR applies to you: 

  • Your business offers goods or services (even with no commercial transactions) to EU/EEA residents.
  • Your company monitors or tracks the online behavior of users inside the EU/EEA.

GDPR & COVID-19

The ICO, who regulates GDPR in the UK (where your writer dwells), has published guidelines for businesses operating in the UK which discusses the challenges faced with compliance during the pandemic.

Organizations face many data privacy challenges and with an uptick in working from home, a major rise in phishing attacks and scammer activity, and staff shortages that might make complying with data access requests difficult within the law’s rules. The UK is feeling the brunt of these challenges right now.

The ICO has stated: 

“We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.

We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”

GDPR will continue to evolve over time. The European Union will keep this site updated with news of the future of GDPR. 

GDPR Bottom Line for US Companies

The long and short of it is that if you have any data subjects you serve or track (customers, readers, users, etc.) based in the EU, you must comply with GDPR. Here’s a great resource for help if you’re feeling a little astray on this front. 

These laws will continue to develop as regulators interpret how companies respond to complying with privacy legislation. Likely, we will see regulators expand the rules to wrangle companies who do their best to find loopholes. Google and Facebook are already doing just that. 

What’s Next? 

We here at Crowned believe that working toward compliance for GDPR is wise and worth it. Like so much right now, it’s hard to forecast. One thing is for sure, though– data privacy isn’t going away, and it’s best to work toward GDPR compliance ASAP. 

In our next blog, we’ll dive into a few of the details about what GDPR is and how you can work toward compliance.