What is the GDPR?
Effective as of May 25, 2018 the European General Data Protection Regulation (GDPR) replaces a country-by-country patchwork of laws for consumer data privacy protection. Specifically, it regulates how companies are required to handle the personal data of the approximate 750 million residents of the European Union (EU). It applies to any organization in the world that that collects, stores or processes the information of EU residents (not just EU citizens). Multinational enterprises, small businesses and nonprofits alike are governed under this code. Penalties levied for noncompliance and data breaches are potentially huge.
The law that took effect is broad. Let’s first determine if your organization needs to comply. You can use the questions below as a preliminary guide. If you are unsure about whether you fall under the GDPR, please contact advice hotlines provided by governing agencies: https://www.cnil.fr/en/contact-cnil or https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/.
Are you required to comply with the GDPR?
Below are factors to consider when determining if you are required to comply with the GDPR and to what extent.
PHYSICAL PRESENCE AND STATUS
- Do you have more than 250 employees worldwide?
- Do you have a physical presence in the EU?
- Do you have any employees that reside in the EU (including US citizens)?
- Do you have a physical presence in the US and offer products or services to EU residents living in the EU?
- Do you have a physical presence in the US and monitor the online behavior of EU residents living in the EU?
- Are you a “public authority” as defined by the laws of a EU country in which you have a physical presence in?
- Are you a “public authority” as defined by the laws of a EU country in which you offer products or services?
ACTIVITIES
Do your core business activities involve:
- Regular and systematic monitoring of EU residents, on a large scale, such as asking EU residents living in the EU to create profiles that are used to analyze or predict personal preferences, behaviors or attitudes using predictive analytics of behavior commonly used by social media sites and apps?
- Processing sensitive personal data of EU residents living in the EU, such as collecting or storing info about EU residents living in the EU using your website, marketing surveys or when residents open accounts with your organization? Personal data includes but is not limited:
- Financial information (including credit card information)
- Medical information
- Identifiers associated with children
- Basic information, such as name, address and ID numbers
- Web data, such as IP addresses and cookie data
- Health, biometric and genetic data
- Racial, ethnic and sexual orientation
- Even political opinions, religious beliefs, and union memberships
- Processing data related to criminal convictions or offenses of EU residents living in the EU on a large scale?
- Offering hospitality, travel, software services or e-commerce to EU residents living in the EU? Offering these services does not by itself require compliance but US-based companies that do tend to fall under the GDPR.
WEB PRESENCE
Does your organization’s website:
- Market products or services in the language of an EU country and make reference to EU residents? Generic marketing does not require GDPR compliance. For example, a Dutch user who Googles and find an English-language webpage written for U.S. customers would not be covered under the GDPR. However, if the webpage is in the language of that country and references EU customers, then the webpage would be considered targeted marketing and the GDPR would apply.
- Accept currency of an EU country?
- Have a domain suffix that allows access specifically for EU residents (i.e. your website can be reached with a .nl from the Netherlands)?
What should you do if you are required to comply with the GDPR?
Kindly update F8 on whether you determined you are required to comply and, we’ll work together to see what changes need to be made to your network.
Please note:
Determining whether your organization is required to comply with the GDPR is based on internal business and operational information. Therefore, F8 cannot determine whether your organization is required to comply nor does it provide any warranty or guaranty, express or implied, about meeting GDPR regulations.
The information above is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained should be construed as legal advice from F8, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this writing without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.