Public concern over online privacy, data breaches and unauthorized data usage is nothing new. For years we have been hearing about large-scale data breaches at retailers like Target and Home Depot, and the past year alone brought alarming news about the colossal Equifax breach as well as Cambridge Analytica’s use of personal data on Facebook to sway the 2016 presidential election. While U.S. legislators have not exactly clamped down on businesses in taking action to protect consumers’ personal data, the story is very different in Europe. As of May 2018, new laws set into motion in 2016 by the EU are already revolutionizing how businesses must deal with the personal data of any EU individuals, whether they are consumers, employees, or any other living persons.
The new EU law – called the General Data Protection Regulation or “GDPR” – consists of 99 separate articles which collectively turn the tables on how businesses deal with personal data, essentially shifting the approach from an “opt-out” regime (meaning individuals have to request that companies not process or otherwise use their personal data) to an “opt-in” rule, by which those individuals must clearly give informed consent to companies to use their personal data.
In this three-part series, we will look more closely at what businesses must do to comply with the GDPR, and what penalties will apply if they do not. In this first article, we will look specifically at whether the GDPR applies to your business.
Not in the EU? Don’t Assume That You Are Exempt from GDPR Requirements
To be very clear, the fact that your business is not located in the EU does not mean you are free from the GDPR. If you are a U.S.-based business (or a business based anywhere for that matter), and you process the data of individuals who do live in a EU country, then you are subject to the requirements of the GDPR. This is true regardless of whether you have ever intentionally marketed to individuals in those countries, or whether you have ever even heard of those countries before.
The GDPR does not apply to people from EU countries who are living elsewhere, however. Thus, if you keep personal data about your yoga students and one of them is Estonian but lives in Brooklyn, the GDPR would not apply to that situation. But if you process an order for yoga pants from a customer in Estonia, and keep that individual’s personal data in your company’s files, that action will indeed be subject to the GDPR.
(For a full list of the 28 countries currently in the EU, see here. Note that, despite the 2016 Brexit vote, the UK currently remains in the EU, and so you should be conscious of the GDPR with regard to your UK clientele and contacts).
Understanding What Personal Data and Data Processing Mean Under the GDPR
The next step in understanding whether the GDPR applies to your business is to ask whether your company processes personal data of individuals in the EU. “Personal data” refers to any type of information which can be used to identify any living person. Deceased persons and entities (e.g. businesses or organizations) are not included. Personal data includes information such as:
- IP addresses
- ID numbers
- Personalized email addresses
Basically, any data that can be used to identify a person qualifies as personal data, even if that information has been encrypted but can still be decrypted to identify the person.
Although “processing” may suggest something technical in the style of the Facebook / Cambridge Analytica operation, the term is far more broad than that under the GDPR. Do you store customers’ personal data? You have processed it. Even if you write a list of your EU customers’ names in a notebook, that qualifies as processing.
In total, data processing for purposes of the GDPR includes: “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.”
Clearly, the scope of the GDPR is wide indeed, and thus any businesses in the U.S. who deal with customers, potential customers, employees, or any other individuals need to take note of its requirements. In the next article of this privacy law series, we will take a look at what is now prohibited or required by the GDPR.