Skip to main content

A BUSKLAW Newsletter Aside: Is Your Website Compliant with the European Union's GDPR?


Effective 25 May 2018, the EU's General Data Protection Regulation goes into effect. The GDPR is a big deal and quite complicated. There are 99 articles and 173 recitals defining the privacy rights of individuals and data controllers’ and data processors’ obligations. 

 Are you a U.S.-based data controller or data processor subject to the GDPR? You are a “data controller” if you, alone or jointly with others, determine the purpose and means of “processing” personal data of EU individual customers or businesses. The threshold is that you offer goods or services to customers or businesses in the EU (including the UK, despite Brexit) and collect their personal data. But even if you don’t sell goods or services to EU customers but engage in marketing or monitoring activities involving EU individuals’ personal data, you are covered by the GDPR. 

 You are a data processor if you “process” personal data on behalf of a “data controller,” i.e., a data controller contracts with you to process personal data that the controller collects from individuals. “Process” or “processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  
Personal data includes one or more of the following: IP addresses, names, birth dates, physical addresses, email addresses, customer photos, billing information, customer identification numbers, any other information that can be used alone or with other data to identify a person, and sensitive data such as genetic data and biometric data that could be processed to uniquely identify an individual. 

Perhaps you're already in compliance with the GDPR. It's been in the works for the last two years. But if not, read on:  

For compliance purposes, you should consider giving priority to the following:

  • Updating your customer-facing websites and mobile app privacy policies to comply with the GDPR. These existing policies may be deficient in the following areas:
    • The customer doesn’t expressly consent to the privacy policy (and you don't keep a record of customer consents);
    • The privacy policy isn’t written in plain English;
    • The privacy policy doesn’t:
      • provide that the customer has the right to have inaccurate personal data rectified;
      • explain that the customer has the right to have their personal data deleted, i.e., the “right to be forgotten;”
      • explain that the customer has the right to receive their personal data;
      • explain that the customer has the right to object or restrict the processing of their data;
      • explain that the customer has the right to at any time revoke its consent to the processing of their data;
      • explain that the customer has the right to the secure storage and transfer of their data; and
      • explain that the customer has the right to have their outdated data erased.
  • If you are a data controller, make sure that you have suitable contracts with your data processors, and data processors should do the same with their data controllers. The GDPR includes specific content requirements for these contracts.
  • Making sure that you understand the cost of complying with the GDPR. Apart from legal fees, there will likely be considerable internal compliance costs, including (1) creating the necessary infrastructure to support the required website and mobile app privacy policy changes; (2) establishing more robust data security; and (3) adopting practiced and repeatable data breach notification policies and procedures. Even apart from GDPR compliance, if you haven't already done so, consider appointing a data protection or chief privacy officer (that role can be combined with another senior manager such as CFO or CIO) who reports directly your President or CEO.
  • If you have or process personal data, you should consider having Cyber Risk Liability insurance that may respond to penalties resulting from non-compliance with the GDPR. Cyber Risk policies have become more affordable in recent years, but you must carefully review the exclusions because fines or penalties levied by government authorities may be excluded from coverage. 
  • You should also consider having Directors and Officers Liability insurance because a company’s failure to properly secure personal data or timely report data breaches may lead to D&O liability to shareholders or outside parties. Again, you should carefully review the coverage exclusions.
Penalties for non-compliance with the GDPR are stiff: up to four percent of the violating data controller’s global annual revenue per violation or $20 million Euros – whichever is greater. Also, the data controller (and its data processor if any) may be prohibited from processing EU customers' personal data.

I've prepared questionnaires for data controllers and data processors to help determine if they are subject to the GDPR. If you would like a copy (at no charge), email me! 
____________________________________
If you find this post worthwhile, please consider sharing it with your colleagues. The link to this blog is www.busklaw.blogspot.com and my website is www.busklaw.com. And my email address is busklaw@charter.net. Thanks!

Comments

Post a Comment

Popular posts from this blog

The BUSKLAW May Newsletter: The Foolhardy Practice of Using Faux Terms of Art in Your Contracts

  Most lawyers draft contracts. That's what lawyers do. And they use perceived terms of art ("TOAs") because they want to be paragons of contract-drafting precision. But here is where the canker gnaws:  the words that lawyers insert in their contracts as TOAs are actually not, potentially causing problems in clarity and interpretation. And as I've said time and again, these problems lead to disputes, and disputes lead to litigation, which is always time-consuming and expensive for the parties involved.  Let's first define TOAs in the legal context. According to Professor Bryan Garner in his Dictionary of Legal Usage , TOAs have specific, precise meanings that are "locked tight" and based on legal precedent. But then there are the faux TOAs, "whose meanings are often unhinged." Expert contract drafters, Garner says, know that clear, simple drafting is less subject to misinterpretation than using TOAs that are nothing more than "mere jargon....
Post a Comment
Read more

The BUSKLAW 2021 Year in Review - Brit English Sums It Up!

  I'm at a loss to describe 2021 using American English, sorry. AmE has grown tiresome. Don't believe me? Just turn on your local TV news and listen for how many times the news people use "prior" instead of "before" and pepper their speech with "as well," frequently tacking it on after using "also" in the same sentence, as in "It will also rain tomorrow as well." How can all be WELL when every other sentence ends with AS WELL? Warning: don't play a drinking game to count the number of  AS WELLs or you'll be pished (as they say in Scotland) in 10 minutes. Which reminds me of why we should be thankful for Brit English to describe 2021: it was another year that we good guys got knackered .   Consider: Covid continues unabated - now improved with variants (get your booster, wear a mask)! The peaceful transition of the U.S. government after the 2020 presidential election almost didn't happen (can you say "insurrectio...
Post a Comment
Read more

The BUSKLAW Halloween 2022 Post: Stephen King's Asides on Poor Writing in Fairy Tale

  Having just read  Stephen King's Fairy Tale in time for Halloween, it's appropriate to examine his asides on poor writing included in the book. (BTW, Fairy Tale is a good read with King's typical well-executed character development, plot, and a great finish to the story. But you have like the whole Grimm fairy tale genre before you read his take on it.)  Stephen King doesn't tolerate anything less than crisp prose. When the story's hero, Charlie Reade, tries to read a book about the origins of fantasy and its place in the world matrix ("what a mouthful"), he can only scan it because: It was everything I hated about what I thought of as "hoity-toity" academic writing, full of five-dollar words and tortured syntax. Maybe that's intellectual laziness on my part, but maybe not. Later on, Charlie tries to focus on a particular chapter in the "origins of fantasy" book about the story of Jack and the Beanstalk but is put off by "t...
Post a Comment
Read more