As we enter 2018, there are two things that are guaranteed:
- We are going to continue to see an increase in cyber attacks
- We are going to see an increase in regulation
As the attacks continue, and as the amount of damage to citizens around the world continues to skyrocket, governments are stepping in and putting more regulations in place. And the latest of those from the European Union is the General Data Protection Regulation (GDPR).
One thing we do know for sure is GDPR is going to be enforced – this regulation looks like it is going to have teeth. Unlike other regulations where the fines have been so low as to be negligible, it appears that GDPR will be strongly enforced with significant penalties.
Another thing we know for sure is that GDPR applies to any organization that collects and stores data about individuals on its website. And if even one person from Europe enters their personal information on your public website and hits submit, then you’re covered by GDPR and subject to all its provisions.
But what don’t we know?
Can the EU Really Enforce This?
We used to live in a world where physical boundaries were relevant. If I was physically in the US I abided by the US laws. If I wasn’t in the US, I didn’t have to abide by its laws. Now with the Internet and cybercrime, you could be anywhere in the world and still have to abide by another country’s laws. So the real questions is can the EU actually enforce this against US companies that do not have a presence in the EU?
In theory the answer is yes. If you are a US company and you have information on European citizens that you are not protecting in compliance with GDPR, then EU authorities can still come after you and could still fine you. But would it be in a US court? A European court? How would that work? But here’s my suggestion – don’t be the first one to find out!
Can You Make it so People Waive Their Rights by Entering Their Data?
This answer is no. If people enter their personal data on your website, and they are an EU citizen, then they must be protected. This means that you can’t have a message on your site to the effect of “If you enter your information, you are waiving your rights to GDPR.” Or similarly, “We don’t comply with GDPR, so it’s your choice to enter your data.” What’s still up in the air is whether you can just tell people not to enter their data at all because you don’t plan to comply.
If your website outlines what data is saved and what it will be used for does that establish an agreement between you and the submitter?
This is a case where clear documentation and communication will make the difference. Your website should clearly state what data you’re going to collect and save and where it’s going to be saved. If you get dinged, this could help limit your liability. (Note, I am not a lawyer and this should not be construed as legal advice.) What’s clear is that the enforcement bodies are going to look at whether you have a documented approach to handling data, did you follow your stated procedures, and did you make a good faith effort to protect the data. Intent and practice are important here.
You’ll be hearing a lot more about GDPR as the deadline approaches. If you want to learn more, contact us a call for more information.
Did you miss our recent webinar on 5 Things You Might