GDPR 101

GDPR 101

How much can a good privacy policy and terms of service or terms of use be worth? Well according to HBO’s Silicon Valley, about 21 billion dollars. In the show, Pied Piper’s Interim CEO, Dinesh, did not include a term of service before users began using their chat service because he thought it was “lame.” This resulted in a “gross violation” of privacy laws that quickly racked up fees. Jared, the most business savvy of the group, was shocked that Dinesh not only failed to include the terms of service but also did not bother read the policy in its entirety.

Thankfully for business owners, they do not have to be a Jared to avoid becoming a Dinesh in the context of privacy laws, especially when it comes to the EU’s General Data Protection Regulation (GDPR). The GDPR establishes the rules that businesses must abide by when controlling and processing data gathered from EU citizens. Failure to comply with GDPR can result in fines with a cap of up to €10,000,000 or 2% of total worldwide annual revenue, whichever is greater. For more serious offenses, the EU can impose fines of up to €20,000,000 or 4% of total annual worldwide revenue, whichever is greater.

Wow! What can an entrepreneur do to avoid these penalties and the hassle of dealing with an investigation? In this post, we will explore who the GDPR applies to, the data privacy principles promulgated by the law, and what steps businesses can take to avoid penalties.

Who does the GDPR Apply To?

The GDPR applies to three groups who process data (meaning any activity that collects, records, organizes, stores, retrieves, uses, discloses, or deletes personal data). Spoiler alert – it most likely applies to your business if you have a website that collects any user information.

First, and most obvious, the GDPR applies to controllers and processors that process personal data in the context of activities of an EU establishment. Second, it applies to non-EU controllers and processors with non-EU establishment who offer goods and services to individuals in the EU or monitor individual’s behavior that takes place in the EU. Third, it also applies to controllers in the who are not established in the EU but where EU law still applies by international treaty (which is not the case for the United States).

This statement leaves many questions. What is the difference between controllers and processors? How many goods and services do I have to provide in an EU member state to meet the requirement of offering goods and services to individuals in the EU or monitoring the individual’s behavior that takes place in the EU? We address each question in this post

The difference between a controller and a processor is subtle. A controller is the one who determines the purposes and means of the personal data processing. A processor is an entity or person who processes the data on behalf of the controller. To illustrate this, if you decide you want your business to collect customer data using Google Forms, then your business would be the controller and Google Forms the processor. If you are reading this article, you are most likely going to be a controller.

Next, if your business is in a non-EU country how do you know if the GDPR applies to you? Generally, your website does not have to be GDPR compliant simply because individuals residing in the EU can access it, but being GDPR compliant can help you avoid unintended pitfalls as outlined in later in this paragraph. Rather, if your website offers goods and services with an intent to sell to individuals residing in the EU as evidenced by factors like allowing them to pay in Euro and translating the site into a nation’s home language. Further, if your website intends to track a user’s activities who resides in the EU using cookies and then later process that data to predict personal preferences, behaviors, or attitudes, then you fall under the scope of GDPR – you could easily run afoul of this requirement unintentionally!

What Principles must Businesses Abide By?

If the GDPR applies to you, the law establishes 7 principles that controllers and processors must abide by.

First, under the Lawfulness, Fairness, and Transparency principle, organizations must process data lawfully, fairly, and in a transparent manner. This includes a subject’s right to know who has their data, the nature of why it is being processed, and right to access/erase that data among other requirements.

Second, the Purposeful Limitation principle, organizations can only collect data for specified, legitimate purposes and no further than is required by that purpose.

Third, the Data Minimization principle requires that personal data should be adequate, relevant, and limited to what is necessary for the purpose of processing.

Fourth, the Accuracy principle requires organizations to keep personal data accurate, up-to-date, and corrected/deleted when inaccurate.

Fifth, the Storage Limitation principle requires organizations to not keep personal data in a form that permits identification of the individual.

Sixth, the Integrity and Confidentiality principle establishes that organizations must protect against unauthorized or unlawful processing of data and prevent against accidental loss, destruction, or damage.

Finally, the Accountability principle makes the controller responsible for compliance with the other data protection principles.

Avoiding Penalties

What steps can a business owner take with respect to their business’s privacy policy to avoid penalties?

Due to the many onerous requirements and the fact that you likely won’t be able to control the home country of those accessing your website, it is usually a good idea to assume that your business will fall under the GDPR requirements and comply with the multitude of requirements. First and foremost, you should start by acquiring a GDPR compliant privacy policy. Every GDPR compliant privacy must include the following:

  1. Who is processing the data
  2. What legal basis allows you to collect user data
  3. The purpose for collecting personal data
  4. What types of personal data you collect
  5. How long you are going to store the data
  6. Whether you transfer the data intentionally
  7. Whether the data is used in automated decision making
  8. What third parties you share the data with
  9. What are the data subjects’ rights under the GDPR

We’ve made it easy on you to comply with these requirements, and we have prepared a DIY privacy policy here that has been drafted so that it is GDPR compliant.

Conclusion

Since it is difficult to control who accesses your website, it is generally a good approach to assume the GDPR will apply to you and go ahead and obtain a privacy policy that is made to be GDPR compliant for your website. While privacy policies may be “lame,” they can save you from the catastrophe of a fine large enough to significantly impact your business – not something to mess around with!

 

ALTHOUGH KELLY AND KRISTIN ARE LICENSED ATTORNEYS IN THE STATE OF TEXAS, THEY ARE NOT YOUR ATTORNEYS, THEY HAVE NO ATTORNEY-CLIENT RELATIONSHIP WITH YOU, AND THEY DO NOT KNOW YOUR BUSINESS. THE INFORMATION IN THIS POST IS NOT TO BE CONSIDERED LEGAL ADVICE, AND YOU SHOULD NOT CONSIDER IT A SUBSTITUTE FOR LEGAL ADVICE. WE ALWAYS RECOMMEND CONSULTING WITH AN ATTORNEY IN YOUR LOCAL JURISDICTION SINCE THEY WILL BE ABLE TO ADVISE YOU AS TO YOUR PARTICULAR SITUATION AND ALSO PROVIDE YOU WITH INFORMATION SURROUNDING ANY NUANCES OF YOUR LOCAL LAWS THAT WE JUST SIMPLY CANNOT ADDRESS IN THIS POST. FURTHER, WE DO NOT GUARANTEE ANY SPECIFIC RESULTS.