as you may or may not know, towards the end of May next year, the so-called GDPR (General Data Protection Regulation) comes into effect in the EU.
However, it applies to ANYONE selling into the EU … and that includes pretty much all online/Internet marketers.
So, straight from their FAQ http://www.eugdpr.org/gdpr-faqs.html
the ‘scary’ one:
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Regarding the first part (the 4%): that applies to the entire company-structure.
So if you think: “not to worry, this one company that might be affected is only a small thing under my umbrella brand” … think again:
GLOBAL turnover of the ENTIRE company!
As you can see, they explicitly mention ‘not having sufficient customer consent to process data’.
Here’s where this gets scary:
look at the last paragraph I mentioned:
if you store customer information in e.g. Aweber, and they get hacked … YOU are responsible!
It is YOUR responsibility to CHECK up-front (and keep checking on a regular basis) that (in this example) Aweber are GDPR-compliant (they’re not, just checked, see below)
Now it gets even scarier:
even if you can prove that Aweber messed up and YOU checked in on them on a regular basis … it’s still the 4% of YOUR company that’s on the line (or €20 Million, whichever is the greatest).
You can then TRY to reclaim that from Aweber, but that’s YOUR job. YOU/YOUR company foots the bill to begin with.
in case you’re wondering: I attended a seminar on just that topic last Thursday, great presentation by a lawyer who specializes in just this thing.
The big take-away from this was:
obviously, the scary stuff from above.
But, probably more importantly:
Data Protection (at least for those selling into the EU) is now a PROCESS!
It’s an ongoing effort, and in order to be compliant, you will have to prove that you have systems in place!
If you don’t … that’ll be 2% or €20 Million … whichever is the greatest.
Just to scare you some more:
just had a chat with Aweber … and they think they’re safe because they US-EU Safe Harbour agreement (self-)certified.
They’re NOT safe:
https://iapp.org/resources/article/safe-harbor-and-gdpr-action-plan/
(read the Price Waterhouse Cooper article at the top)
how’s that for a lighthearted start to the week?;-)
Cheers
Veit
PS: if you’d like to sign up to my new “Drip”-list, you can do so here:
Yes, I got this last week from Google as I host my email through them. Looks like a new business having a EU representative requirement for anyone in North America!
Hello Administrator,
We are sending you this message because your organization is operating G Suite account thebusinessofathomebusiness.com, and the G Suite Data Processing Amendment currently governs how we process personal data on behalf of your organization, and/or according to our records, your organization is established in the European Economic Area or Switzerland.
On May 25, 2018, the most significant piece of European data protection legislation in 20 years will come into force when the European Union’s (EU) General Data Protection Regulation (GDPR) replaces the 1995 Data Protection Directive. We know that preparing for this regulatory change is a priority for many of our customers. It is a priority for us, too.
Today, we are pleased to roll out version 2.0 of our Data Processing Amendment (DPA), which has been specifically updated to reflect the GDPR.
How opting in to DPA version 2.0 works
If you opt in to DPA version 2.0, the updated terms will take effect with the GDPR on May 25, 2018. If you opt in before May 25, you will benefit from DPA version 1.6 until then.
Details Google is required to obtain from you
The GDPR requires Google to maintain records of certain information, including the contact details of your EU representative (if your organization is not established in the EU) and Data Protection Officer (DPO), where applicable.
Note that the wording is UP TO 4% or €20m, whichever is higher, which means if your global turnover is less than €500,000,000 (ie. 1/2 billion Euros) and the EU Court of Justice (or whatever) thinks you’ve been especially naughty (eg. you left your WordPress User Name as ‘Admin’ – as in the case of a British Company which was fined recently for being hacked under the previous DP rules), then they can still fine you €20m even if your global turnover is $1.
In the UK, the ICO have stated that small companies needn’t worry as it is unlikely they will be fined €20m – which is great since there are probably around 1 million UK micro businesses desperately trying to peddle their digital ebooks and such like across the EU by way of optin forms on digital channels they have no hope of every understanding (as you mentioned above Veit).
And don’t think for one second that Brexit is going to free up the UK from this legislation – far from it – the UK is the FIRST country in the EU to implement it – in fact, everything’s already in place over here, the only thing that changes next May is that they’re going to fully enforce it.
Note that the only entity that’s going to get seriously rich from this is the EU state machine (considerably more than the lawyers trying to get rich off fighting the legislation where it victimises the ignorant, since the ignorant are most likely to be the penniless, who will be forced out of business through not having a PhD in cryptographic processes).
If they really cared about data protection, they’d give all the fines back to the ‘victims’, wouldn’t they? Ha! SNAFU.
Thanks Veit.
So the key here is customer consent… is that right?
Or is the focus on encryption and security ?
(Or both)
Keen to know more.
Cheers
Walt
it’s both: getting permission as well as protecting the data.
The key thing (kinda hinted at in the Q&A) is that you have to have PROCESSES in place that deal with different scenarios of customer data getting compromised.
And those processes need to end in “and this is how we notify the authorities when shit happens”.
And of course, processes need to be documented (that’s the 2% rule, see above), plus you have to have systems/processes in place that make sure your first lot of processes are always up-to-date.
if there’s enough interest, I’ll contact the lawyers I went to see last week and see if they could do a ‘special’ edition for online-marketers.