Client Query: How Do I Know If the GDPR Applies to Me?

You’ve noticed it, right? You’ve gotten bombarded with emails from all of the different services that you use. Pinterest, Etsy, GoDaddy, Instagram, Slack...they’re all updating their terms of service to reflect new privacy practices. But why? If you’re any sort of online entrepreneur, you know the answer. It’s the General Data Protection Regulation (or “GDPR”) coming out of the EU, set to go into effect on May 25, 2018. The GDPR is a new set of standards established by the European Union and mandates certain privacy practices. So, should you be worried about it? Depends. Here, you’ll find some info on who the GDPR applies to, what it covers, and (generally speaking!) some best practices for compliance.

Who the GDPR Applies To

The GDPR applies to websites that could be collecting or processing the data of users in Europe. This doesn’t mean the user must be an EU citizen for the GDPR to apply -- it means the user is in the EU when interacting with your platform. Making offers to people in the EU? Yep, the GDPR applies. Got a following that travels the world and accesses your content (and provides you with their info) while abroad? Honestly, in our global, mobile society, who doesn’t? The GDPR applies there, too.

(Side note number one: There’s a little bit of misinformation floating around the Internet that the GDPR only applies to businesses with 250 employees or more. This is wrong. There are different record-keeping requirements if your business has 250 employees or more, but the GDPR can apply if you're a smaller business.)

The Types of Data the GDPR Applies To

Put simply, the GDPR applies to personal data. That can include a name, a photo, an email address, bank details, or a computer IP address. Personal information collected automatically (like some Google Analytics info) counts, too.

(Side note number two: It’s worth mentioning that information that doesn’t identify people doesn’t fall into GDPR territory.)

(Side note number three: It's a whole different ballgame if you're collecting financial or medical information, or information about kids.)

The Types of Activity the GDPR Applies To

First, the GDPR applies to collecting “provided data,” aka, data provided directly by the user. This is the type of information you usually ask for in offering a freebie, for example, or if someone signs up for your email list. Second, it applies to observing data, aka data monitoring or harvesting. An example would be monitoring where a user moves her cursor or the articles or links she clicks. Finally, it applies to when you’re adding to that data — tagging the data in your CRM, or in email marketing segmenting. 

The Nitty Gritty: GDPR Basics

Data Collection

The GDPR requires that you have a "legal basis" for collecting or processing personal data. The most common bases are:

  1. Consent. Sometimes the easiest, this basis requires a loud and proud opt-in. Give users enough information to make an actual yes-or-no choice prior to giving you consent to use their info.
  2. Legitimate Interest. If you take a look at Pinterest’s updated policy, you’ll see that it uses the phrase “legitimate interest” a few times. “Legitimate interest” is the most flexible of the lawful bases on which someone can use data under the GDPR. If 1) there's a limited privacy impact on the user, 2) the user might reasonably expect you’d use their data in that way, and 3) the use has a clear benefit to you or to others, it’s considered to be a lawful basis for using data. Pinterest is an example. Pinterest is taking the stance that it can use your personal data to deliver advertisements to you that might be of legitimate interest. Another example is as follows: You collect someone’s email address when they sign up for a free e-book and then create a funnel whereby you’re offering that user the opportunity to purchase an e-course that covers the topic of the e-book -- the topics are the same, so it's likely that I have a legitimate interest in an e-course that covers similar ground. But, compare this to offering a completely unrelated e-course…then, the answer is not as clear. As a result, one could argue there’s no legitimate interest there, and you’d be better off seeking consent for that new use.

Users' Rights

The GDPR  also provides all users with the following rights:

  • The right to be informed. (In other words, informed as to who you are, what data you’re collecting, and how you’re using that data.)
  • The right to access. (This means the right to access the data you're keeping on your users.)
  • The right to rectification. (Rectification is a fancy word for “correction.”)
  • The right to object. (Users can object to your use of their data.)
  • The right to data portability. (This is the right to obtain their personal data for specific purpose of transferring it from one controller to another without being prevented from doing so by the data processor.)
  • The right to erasure. (Users can request that the data you have on them be erased and all dissemination ceased. But note, this comes with some exceptions/special rules.)
  • The right to restrict processing (“I don’t want my data to be used in such-and-such way.”); and 
  • The right to not be subjected to a decision when it’s based on automated processing or profiling.

If you are collecting or processing personal information that falls into GDPR territory, check your procedures to make sure they cover these rights. (Note that collecting data and processing data are two different activities. You could be collecting it, but MailChimp or Insightly CRM might be processing it. But the act of uploading the data to MailChimp is also processing the data. Phew, see why folks are getting a little overwhelmed?)

Penalties for Non-Compliance: A Positivity Sandwich

A Positivity Sandwich is when you sandwich a negative with two positives. 

Positive: if you implement the parameters required by the GDPR, you won’t have to worry about penalties! Negative: Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million (whichever is greater), plus other sanctions. That’s the maximum fine, and it’s tiered based on the seriousness of the infraction. Positive: there is no “GDPR Task Force,” scanning the globe for GDPR violations. It’s more likely that a competitor or a user that is unhappy with your practices. So, keep that in mind.

Post-GDPR Best Practices (or AHH! It Applies to Me! What Do I Do!?)

Breathe. The GDPR is all about being transparent when it comes to 1) who you are 2) what data you’re collecting and 3) how you’re using that data. Here is a summary of some other best practices:

Map It.

First of all, map out the “flow” of your platform. Where and how are you collecting personal data? Where do you need to add the proper consent requests? You cannot take action until you know the answers to these questions.

Get Privacy Policy. Now.

Having a solid Privacy Policy is a must.

Keep Your Records.

You’ll want to keep clear records on all of your users and save those records. Keep records on when they gave consent (a date and timestamp help), what they were told, and the conditions that applied when that user gave consent. You’re the one that would have to prove you’re complying in the event of a challenge.

Collect and Use Personal Information Fairly and Transparently.

  • Don’t collect more than what’s necessary to achieve what you want to achieve. Be transparent about what you’re collecting.
  • Don’t keep data for longer than you need to for your legal basis. If you told users you’re collecting data to provide them with an e-course, do you need to hold onto their data years after the course has ended? Probably not.

Gain and Record Consent, as Applicable.

  • Discreet opt-ins, hidden checkboxes, and pre-checked checkboxes are a thing of the past.
  • Explain how you’ll be using the user’s information, and give them an actual choice.
  • Along the same lines, if you’re going to be doing any direct marketing, let them know.
  • Users should be able to change their minds and revoke consent after they’ve given it. So, this means — you guessed it — it’s a good idea to have procedures in place in case someone revokes consent.

Give Individuals Appropriate Control and Choice.

  • Users should be able to affirmatively (and easily) opt out.
  • Again, the choice should be an actual choice.
  • Clicking “yes” or “I agree” should not be a condition to receiving your freebie. In other words, the user should be able to get the freebie even if he or she doesn’t agree to your new privacy policy or terms.

Change Your Procedures/Systems So That You Can Locate and Delete Someones Data On Request (Free of Charge).

Popular email marketing software like MailChimp and ConvertKit are on the ball by making it easy to segment and work with your email lists. But still, this may be an area where your web developer gets involved. A few dollars spent with your web developer will be well worth avoiding the fat fees that could come with non-compliance.

Make it Fun!

 Nobody said this stuff has to have a serious, “hall monitor,” lawyerly tone. Yes, your consent check points, emails, and your privacy policy should have all of the right content. So, you should still feel free to use your voice and stay "on brand."

When Confusion and Overwhelm Hit — Call a Lawyer. 

Someone versed in GDPR and privacy issues should be able to help with those fact-specific scenarios.

The Point: If the GDPR applies to you, don’t freak. Be transparent. Be honest. Map your data practices and execute your plan as necessary.

Previous
Previous

What the SCOTUS Sales Tax Ruling Really Means

Next
Next

Protecting Your Pod[cast]: What’s in a Good Podcast Guest Contract