On May 25, 2018, the General Data Protection Regulation (or “GDPR”) came into force in the Europe Union. Some may have heard of this piece of EU legislation – most likely because it has to do with data and privacy, which are hot topics because we all just watched Mark Zuckerberg, founder of Facebook®, get rolled at a Congressional hearing because of his company’s practice of giving away folks data.
So, what exactly is the GDPR? And, why should companies (especially small or medium size companies in Vermont no less) care?
In a nutshell, the GDPR defines new “rules” to govern the relationship between EU residents and any company that collects or obtains their personal data (like name, address, email address, and telephone numbers). These rules heavily favor the individual’s ability to control how companies exploit their personal data. And notice the emphasis on “any” here – these rules are written to apply to companies “not established in the Union” that perform activities on personal data (including collecting personal data), where those activities relate to “the offering of goods or services” to EU residents.
The rules create a broad mandate. Consider, for example, Company USA that does direct sales of goods through its own website, where the purchaser has to create an account or simply provide their name and email address (which Company USA may use for follow-on communications about new products, conduct satisfaction surveys, or simply to provide confirmation of purchase). As written, Company USA might need to comply with the rules of the GDPR where the purchaser is resident in one of the 28 countries of the EU.
Time will tell how this new data paradigm impacts companies in both in the EU and U.S. Meantime, Company USA (and others here in the U.S.) might consider a few, basic steps toward compliance with the GDPR:
- Review your customer base to identify whether you do business with any EU residents (or what the GDPR calls “data subjects.”)
- Audit how you collect, store, and use personal information from customers.
- Review your Privacy Policy for your website (and, if you don’t have one, now is a good time to get one in place). The Policy should make clear to your customers (a) what personal information you collect from customers, (b) what you do with that information, (c) how long you keep that information, (d) how customers can access and make changes to that information, and (e) how customers can make a request that you delete their information. Also, it is important for your Policy to inform customers about your use of “cookies.”
- Implement an on-line consent processes, for example, an “opt-in” check-box that includes text to inform customers about how they can review your Privacy Policy and describes (a) the information you collect and (b) how you use their information.
For additional information or questions, feel free to contact Michael Wasco, Head of the Patents + Intellectual Property Practice, at mwasco@pfclaw.com.