1. What websites are subject to the GDPR?
This question really has several answers. The short answer is, if you have a website, it could possibly – even probably – apply to you.
If your business is located in the EU and if you gather and/or process user information of EU data subjects, the GDPR definitely applies to you.
If your website makes products or services available to EU data subjects or offers products or services in a language or currency of, or offers shipment to, a member-state of the EU, the GDPR applies to you.
Some businesses, because their customer-base is outside of the EU, block access to their websites from EU-based IP addresses, or plainly state they only sell within their own non-EU country, thinking this removes any susceptibility to GDPR enforcement actions. Unfortunately, that’s not the case.
Most hosting servers capture the IP address of every site visitor. Many websites also plant a cookie on a visitor’s computer. So even if your site solicits no user information whatsoever, you’ve already gathered their IP address, at the least – and under the GDPR, IP addresses are considered to be personal information.
Additionally, the GDPR can become applicable for businesses with no EU presence or active marketing in the Union under 2 distinct scenarios:
- Elias Castellano, a Spanish citizen, visits your website from anywhere within the European Union; or
- Pierre Bauchard, a French citizen, visits family in New York and while there, he visits your website.
Both examples could leave you exposed to the requirements of the GDPR.
2. How can the EU expect to enforce its regulations on a U.S. company with no presence in the EU?
There are at least two ways that the Commission can enforce the Regulation on companies without a EU presence.
a. Reciprocity – there are already a number of reciprocity agreements between the EU and other countries.
For instance, there’s a mutual agreement in place between the EU and the US under Privacy Shield, which also deals with data privacy. Under those agreements, both parties agree to assist in prosecuting crimes within the boundaries of the other party.
b. International Law – any company based in a country outside the EU may be subject to international law and could be prosecuted that way.
There are other avenues, as well, but those are the two most likely to be pursued.
3. What are the penalties for non-compliance?
The Regulation allows for fines of up to €20 million or 4% of annual global turnover, whichever is greater. And it’s important to remember that both data controllers and data processors can be fined – for the full amount.
So if you’re both a controller and a processor, there’s an as yet untested possibility, perhaps even a probability, that you could be fined twice.
4. What qualifies as personal data?
The GDPR is designed to protect “personal data”, which is defined as any data relating to an identifiable natural person who can be identified, directly or indirectly, via that data. This can include:
- Home address
- Work address
- Telephone number
- Mobile number
- Email address
- Passport number
- National ID card
- Social Security Number (or equivalent)
- Driver’s license
- Physical, physiological, or genetic information
- Medical information
- Cultural identity
- Bank details / account numbers
- Tax file number
- Work address
- Credit/Debit card numbers
- Social media posts
- IP address (EU region)
- Location / GPS data
At the time of collecting data from the data subject, you must inform them of what data you are collecting, the purposes to which that data will be put, the potential risks, how long you will retain it, and who you will be sharing it with. You should also provide contact information for the data controller, data processor(s) and the Supervising Authority, as well as inform the data subjects of their rights pertaining to their data. This information must be provided in a clear and concise manner, so as to be easily understood and must be easily accessible.
If at any time, you decide upon a new use for the private information you already possess, you must give the data subject the opportunity to opt-in to that new use, before beginning that processing.
6. What rights must be provided to the data subjects?
Personal data remains the sole property of the data subject in perpetuity, regardless of how your company may have acquired it. You should inform them of their rights and give them an easily understood and accessible manner in which to exercise those rights. Their rights include, as a minimum:
- Data portability – the right to receive a machine-readable copy of all their personal data in your possession;
- Data rectification – the right to rectify incorrect or incomplete personal data;
- Data restriction – the right to limit the processing of their personal data;
- Data deletion – the right to have all their person data deleted;
Data subjects should also be informed of the contact information at your company, to enable them to easily request any of the above, as well as for the appropriate supervising authority or the ICO, should they wish to voice a complaint.
7. What businesses are required to appoint a Data Protection Officer (DPO)?
A DPO must be in place in these 3 instances:
- A public authority;
- Organization involved in large-scale monitoring;
- Organization engaged in large-scale processing of sensitive personal information.
For other entities, a DPO is optional.
8. We just share information, at no charge. Does GDPR apply to us?
Yes, the GDPR specifically states that it applies, whether payment is exchanged or not.
9. Must I also get consent to gather personal data?
You must always have a lawful basis to process personal data, but explicit consent isn’t always a requirement. There are 6 different lawful bases of consent:
- Explicit consent – the data subject has clearly granted consent for you to gather and process their private data;
- Contractual – processing is necessary, in order to comply with contractual terms;
- Vital Interests – protecting life or limb of someone necessitates the processing;
- Public Task – when processing is conducted as part of an official government function in the public interest and has a clear basis in law;
- Legal Obligation – when processing is necessary in order to fulfill legal requirements;
- Legitimate Interests – when processing is necessary because of your legitimate interests, provided the data subject’s interests must always prevail.
When processing is performed for a variety of reasons, it’s quite possible that 2 or more bases of consent should be utilized.
10. Do I need to get consent from my existing contacts?
If the manner in which you acquired consent from your present contacts was consistent with GDPR requirements, then you should be okay, provided you have the records to back that up. If not, you should reach out to your contacts with a link for them to refresh their consent via an appropriate opt-in.