Complying with new and emerging data privacy laws, such as the EU’s General Data Protection Regulation (GDPR), can seem onerous, especially when you’re a busy entrepreneur with hundreds of other priorities. So we asked Doc Sheldon, an expert on data privacy laws and the founder/owner of Intrinsic Value SEO, to break it down for us.
Connecticut Innovations: Thanks for lending us your expertise, Doc. Does GDPR apply to companies of all sizes?
Doc Sheldon: There are certain aspects of the regulation that don’t necessarily apply to very small companies, such as the mandatory requirement to appoint a data protection officer. But the principles at the heart of the regulation—especially the rights of the data subjects and the handling and protection of their personal data—apply to all companies, regardless of size.
CI: What about startups that offer products and services only in the United States? Do they have to worry about data privacy?
DS: There are several things that “automatically” establish that the GDPR applies to a company’s activities as they pertain to an EU/EEA data subject, including offering content in the language of an EU member state, accepting payment in the currency of a member state, and offering shipping to a member state (or even worldwide shipping). A U.S. company may even have additional vulnerability, in that it may be more likely to be transmitting personal data outside of the EU/EEA, whereas a company located within the EU/EEA may not be doing so.
CI: Various states in the United States are creating their own policies, correct?
DS: Various states have already enacted, or are in the process of enacting, legislation to require protection of personal data. Most of these share a great deal of similarity with the GDPR, at least in concept. However, there are also marked differences between them, which necessitates that a U.S. company comply with them all. This essentially means that [companies] must comply with the most stringent requirements of any of them. In order to alleviate confusion, there are ongoing efforts to draft and pass a federal data protection standard, which would approximate the levels existing in the GDPR.
CI: What does a startup have to do to comply? Are there steps you can outline?
DS: This is a very difficult question to answer, and a response would be quite lengthy, as the compliance measures will differ somewhat from one company to another.
- An enumeration of their rights regarding the gathering and processing of their data, which will include the right to request from the controller access to, rectification or erasure of, or limitation of the processing of their data, as well as the right to a machine-readable copy of their data and the right to withdraw consent to processing at any time;
- The identity and contact details of the data controller and its representative, where applicable;
- The contact details of the data protection officer, where applicable;
- The purposes of the processing of their data;
- The legal basis for the processing of their data, including the pertinent legitimate interests, since that is the legal basis for processing;
- The right to lodge a complaint with a supervisory authority if they feel their rights have not been honored;
- The intent to transfer their data to a third country or international organization for processing, as well as the safeguards employed and the means by which they can obtain a copy of their data;
- The time period for which their data is to be kept.
In certain circumstances, other notification requirements may exist.
CI: Who in the organization should own the data privacy piece?
CI: What is the timeline for complying?
DS: The GDPR was passed by the EU Parliament in April 2016, but enforcement was postponed until May 25, 2018. At that time, the regulation was fully enforceable for all entities subject to the regulation.
CI: Do you have tips for creating records of what you do with user data, or an easy way to pull that data?
DS: My favorite recommendation for keeping a record of consent is to use CookieBot, which presents the cookies to be placed on a user’s computer, and monitors/stores those consents. Additionally, the WordPress content management system (CMS) provides the ability to access or delete stored data. A company can also maintain an independent log of all data transactions, using pseudonymization, to document its actions.
CI: How will these data privacy rules affect marketers, who rely on customer data and analytics to serve up personalized experiences?
DS: That is really still developing, so at this point, I can only offer some rather obvious observations. Spamming will now be particularly hazardous, and cold calling will have to be done with a very careful structure.
CI: A lot of companies have a CRM to store customer data, plus a marketing automation tool that sends emails and tracks open rates, click-throughs, site visits, etc. Do both systems have to comply?
DS: Any and all instances of acquired, stored or processed personal data will have to comply with the regulation. Where appropriate justification is present, access to that data will have to be limited and carefully safeguarded.
CI: Any other advice for entrepreneurs?
DS: Two other things that occur to me are: (1) There needn’t be any payment required for an entity to be subject to the regulation, so even an informational blog can be as vulnerable as an ecommerce entity. (2) Many companies believe that because they have no presence in the EU/EEA, the European Commission has no ability to enforce the GDPR against them. This is incorrect, as both international law and reciprocity agreements exist that enable [the commission] to enforce actions against U.S. entities.
A final thought:
CI: Thank you, Doc.
DS: My pleasure.