So you think General Data Protection Regulation (GDPR) only applies to European and Switzerland websites? And the UK after it has left the EU?
Think again. According to Forbes, yes it will affect you, us, and them in the United States. In fact, it will affect everyone globally. And applies not just to websites, but servers including cloud services.
I have clients in the UK and they are scratching their heads in bewilderment. The regulations even affect how long you are permitted to hold personal data, or whether you can even have a person’s name, address and phone number on a delivery invoice.
But, when you take a look at what Europe is doing, you have to admire it. The European Union has had enough, and seriously, so have we in the United States.
More than ever, OUR social network platforms are being corrupted for malevolent purposes. I’m not even going to mention names here, or talk about bots, political espionage, the corruption of truth and ethical practices. Our social networks have become weaponized and each platform has, over the last three year’s in particular, a huge increase in profits and did nothing to stop it. Bravo the EU for stepping up and really protecting your citizens’ Personal Information (PII). Now how about the United States?
Enter Stage Right Senator Mark Warner. Senator Warner is Co-Chair and Founder of the Senate Cybersecurity Caucus. “Warner is coleading the committee’s investigation into Russian election interference, which has increasingly centered on the growing, unfettered power of technology giants, whom he believes need to get over their “arrogance” and fix their platforms.*”
Will the government mandate privacy regulations that would make big corporations like Facebook, Twitter and Google liable for the content and protect their users personal information? It looks like it is heading that way. But how about our own users personal information? We should be considering taking the best of the EU mandate and make it ours.
Forbes magazine put it succinctly: “Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected.”
Phew, when my client sells event tickets, a customer pays a bill for work on construction here in the United States, or a client collects information from volunteers, they are not subject to GDPR?
Umm, now it gets really complicated. Here are the What Ifs.
What if the client is from Europe and at the time of the transaction is in Europe. They are having a house built here in the United States. And pay the builder online through the builder’s website? Do they fall under GDPR? What if the client is sending out marketing surveys to their membership database and is collecting PII, would they fall under GDPR mandate? Maybe. If the site visitor, or a client member, resides in any one of the 28 countries in the EU but is temporarily working in the United States for a year, what then?
Are the GDPR cops going to come after my small business clients? I’m not answering this question because I don’t know. I’m not scare mongering, I just don’t have any answers and after studying this for the last month, I still don’t know. Every bit of information produces a slightly different analysis of what is mandated and what we in the United States need to do.
What is the law in the United States. West Law has some answers:
“In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. However, each Congressional term brings proposals to standardise laws at a federal level. Instead, the US has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These self-regulatory frameworks have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.**”
There are some data protection laws in place in the United States that protect users bank information, health, telemarketing and commercial email. But none of these are as ironclad as the EU GDPR.
The fines are horrendous-€2M. Gulp. That’s 2 Million Euros or at today’s rate $1,200,415.34. Not a slap on the back of the hand.
What can we do now in the United States?
- Follow the Guidelines already being implemented by the giants at Google, WP Engine, Microsoft, and GoDaddy.
- Shore up our Terms and Conditions and Privacy Policies on our websites.
- Let our consumers know they can make decisions on how we use their data. We don’t share their data with anyone. We don’t sell their data to anyone.
- Secure their personal information (PII) which also means ensuring company employees, temporary workers, contractors, volunteers and third party organizations with access to PII sign a non-disclosure agreement to protect our users and consumers.
- Let our consumers know exactly who has access to their PII. This will raise shock and horror from consumers so take it seriously.
- Be Ethical.
- Be Transparent.
- Use BEST PRACTICES.
It is very complex but if we can think in terms that our users’ data belongs to them and we are its gatekeeper, that may help us understand our responsibility. It will certainly make us more ethical and therefore trusted by our customers. That can’t be a bad thing.
* Carr, Austin; McCracken, Harry. “Twitter’s Moment of Truth” Fast Company, May 2018, pp. 58-67, 99.
** Leuan Jolly, Loeb & Loeb. “Data protection in the United States: overview” 01 July 2017. Read 01 May 2018, https://content.next.westlaw.com/6-502-0467?transitionType=Default&firstPage=true&bhcp=1&contextData=(sc.Default