GDPR - Practical Advice For Small & Mid Sized US Companies
Many of our resort clients serve customers based in the EU. Therefore we've been addressing these issues over the past few months, and I thought I'd share some practical advice for all.
To back up, the General Data Protection Regulation (GDPR) is an EU regulation designed to protect digital privacy for its citizens. It applies to all data directly or indirectly related to an identifiable EU citizen that is processed by an individual, company, or organization. Data such as
- name, address, ID number
- web location, IP address, cookies
- health, genetic, and biometric data
- race or ethnic data or sexual orientation
The regulation provides rules for how such data is collected, stored, and shared. And the required steps should there be a breach.
Do US Companies Need to Comply With GDPR?
Good question. Technically speaking they do if EU citizens are sharing their data with a US company - directly or indirectly. You may not even realize you do. Say for instance, you're a small midwest ski area that mostly serves its own area. But if an EU citizen happens to travel there, and decide to come visit, you are subject.
If you've read anything about this, the headline sensationalizes the maximum 20M $EU or 4% of global sales figure. However, well under that are "reprimands" and then perhaps bans on processing in the EU. Practically speaking I think we can expect that only the biggies and the most agregious are going to see those big penalties.
GDPR is enforced by Data Protection Authorities in every member state. DPAs have discretion and they have priorities. They also only have so much capacity. And that's at the heart of the pragmatism at hand.
At the highest risk are companies based in the EU with egregious violations. At the lowest risk are companies outside the EU that are not actively targeting EU citizens and not intentionally trying to subvert the GDPR.
Given how easy it is for violators to be reported, and thus the overwhelming volume you can assume they're need to manage, one can expect that the risk will be very low in general.
Should I Focus on Privacy Anyhow?
Hell ya. It really doesn't need to be a huge burden and this is what customers want. Its good business. Plus, even if the federal government is incapable of governing at the moment, states are taking it upon themselves to regulate. In June, California just stepped up with their Cosnumer Privacy Act which largely mirrors GDPR but focuses more on consumer rights at the point of collection will take effect in 2020. Here in Vermont, we passed a law that regulates data brokers that buy and sell personal data. Colorado has also passed a bill focused on defining data protection practices within companies. Here is a whole list of states and related intnernet privacy laws. The interesting or unfortunate thing is that the California law in particular may spark Congress to take up the topic - but unfortunately not to increase privacy protections for US citizens, but to water them down for corporations. Who knows.
In any case, if you have the choice, you know what the right thing to do is. So do it.