Coming in May 2018, the EU's General Data Protection Regulation will bring about the greatest change to European data security in 20 years. If you’ve only been following the headlines, you’re probably aware of the “right to be forgotten,” 72-hour breach reporting, stronger consumer consent and high fines.
Of course, an EU-based company or multinational corporation that does business in the EU is, we hope, well on the way to complying with the GDPR. But what about U.S. companies that have no direct business operations in any one of the 28 member states of the European Union. They have nothing to worry about, right?
Not true.
Any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web will have some homework to do.
Territorial Scope
A very important change in the GDPR that hasn’t received the attention it deserves has do with the geographic scope of this new law.
To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" -- EU-speak for what we in the U.S. call personally identifiable information (PII) -- as part of a marketing survey, then the data would have to be protected GDPR-style.
Targeted Marketing And The Web
U.S. companies without a physical presence in an EU country collect most of the personal data belonging to EU data subjects over the Web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR?
Here’s where the scope of requirements becomes a little more complicated.
The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
Accepting currency of that country and having a domain suffix -- say a U.S. website that can be reached with a .nl from the Netherlands -- would certainly seal the case.
Who are likely U.S. candidates to fall under the GDPR’s territorial scope? U.S.-based hospitality, travel, software services and e-commerce companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.
Consent, Breach Notification And Fines
For U.S. companies, EU-directed online marketing forms and interactions will have to be adjusted to obtain explicit consumer consent. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
For example, say a Chicago-based software company is looking to run a campaign in France and has set up a webpage to collect email addresses for a white paper. At the very least, the company will need a checkbox -- without a default “x” in it -- accompanied by clear language about what it will be doing with these email addresses. And it’s not allowable to ask the user to click on a link to a long “terms and conditions” document filled with legalese.
This can get more complicated when a customer signs up for a service or buys something. The vendor will need to obtain explicit permission for each type of processing done on the personal data (i.e., email promotions or sharing with third-party affiliates will have separate checkboxes).
Once the data is collected, U.S. companies will then have to protect it under the GDPR’s rules. For those that already follow existing data security standards (e.g., PCI DSS, ISO 27001, NIST), these new regulations should not be a burden.
However, the tough new GDPR 72-hour breach notification rule will certainly require IT departments to up their game.
When there’s a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” then IT groups will need to analyze whether the exposed or affected EU personal data identifiers can cause “risk to the rights and freedoms” of EU data subjects.
The GDPR gives some leeway in weighing the risks, but a large exposure of email addresses, personal data that contains sensitive data related to medical or financial information or identifiers associated with children, would all require notification to an EU regulator or “supervising authority” within 72 hours.
Where there’s “high risk” to fundamental property and privacy rights -- typically, exposure of credit card numbers or account passwords -- then the data subjects themselves will also have to be notified.
There are still questions about how the EU will enforce these actions against U.S. and other multinational companies doing business over the Web. The EU is serious about a uniform data and privacy law for its market and has already changed the Web practices of major U.S. companies.
To get the attention of multinationals, the GDPR introduces significant fines. For not reporting a breach to a regulator within 72 hours, fines are in the first tier of penalties -- 2% of global revenue rather than the higher 4% that has received more press attention.
U.S. companies, especially those with a strong Web presence, should be paying attention and changing practices now and not waiting to become a headline two years down the road.
