GDPR: What does it mean for US digital startups in Europe?

Locks security

The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018. GDPR will replace the disparate and inconsistent data protection laws of EU member states with a single, consistent data policy that emphasises the agency and empowerment of citizens.

GDPR affects any business which is located in the EU, offers goods or services to EU citizens, or monitors the behaviour and personal data of EU citizens. Personal data, in this context, means anything that can be used to identify an individual: names, photos, email addresses, bank details, posts on social media, medical information, even computer IP addresses. The penalties for breaching GDPR are strict: organisations will be fined up to €20 million or 4% of their annual global turnover, whichever is higher.

It’s worth noting that the UK has historically supported GDPR, and is likely to implement an equivalent, similar policy even after Brexit. Preparing to comply with GDPR should give US businesses a head start in dealing with user data from the UK. The Information Commissioner’s Office has a full, English-language overview of the GDPR process and the fundamental rights GDPR exists to protect.

What kind of businesses will be most affected by GDPR?

Any business which is active in the EU will have some extension of responsibilities under GDPR, but the digital sector will be particularly affected.

For example, adtech businesses may find it harder to argue they’re not processing ‘personal data’. GDPR explicitly discusses IP addresses and cookies as a form of personal data, given that they can be combined with other data or used as a starting point to identify specific individuals.

Additionally, if a business sources personal data from a third party, it will likely have to communicate with the data subject, providing contact details for the data protection officer, an explanation of the legal basis for processing, and details of the objection or opt-out process. For the latter, a publicly available notice on its website is not enough: data subjects must be notified directly.

David Reed - DataIQ’s Director of Research - sums up the consequences most succinctly, with the claim that adtech will shift from a B2B to B2C focus, in readiness to cope with subject access and data deletion requests from users who’ll be ever more aware of how adtech works. As a rule, businesses will have to be clearer and more explicit in their communications, outlining the ‘right to be forgotten’ and no longer relying on pre-ticked boxes or default opt-ins.

My business already operates in mainland Europe. How do I start preparing for GDPR?

According to data protection specialist and former French government minister Noëlle Lenoir, EU standards of data security have generally been higher, and EU customers more concerned about their data privacy, than in the US. Existing US-EU data protection agreements, such as Safe Harbor and the Privacy Shield, are likely to be superseded by GDPR. In the meantime, EU Model Clause agreements are recommended as a way for US businesses to keep their noses clean.

US businesses may have to accept that their existing approach to data protection is not enough to make EU customers feel secure, and that complying with GDPR is a matter of building goodwill and integrity as well as adhering to the law.

Protect and respect: GDPR will affect businesses on both sides of the Atlantic

Protect and respect: GDPR will affect businesses on both sides of the Atlantic

A survey of large American multinationals by PwC revealed that 71% of respondents have already begun preparing for GDPR by assessing two things: the gap between their current data protection practice and the requirements of GDPR, and discovering the data they already hold, of which over half is likely to be unknown to the business itself. 54% have begun de-identifying their European data by deleting or masking elements of the personal data they hold.

US businesses with existing EU operations will also have to make changes to their data protection practice, almost as if they’re starting over - so the next section will serve as a guideline for them too.

My business wants to expand into mainland Europe. How do I comply with GDPR?

These four elements will stand US businesses with EU operations in good stead for May 2018:

  • Data protection officer -  Businesses which monitor data on a large scale, or conduct large-scale processing of personal data, may designate a data protection officer to oversee GDPR compliance and data handling issues. This person should be technically competent and have some capacity to work with data subjects directly. Relevant expertise exists in IT, marketing, and legal teams.
  • Data protection policy - There is no such thing as an automatic opt-in under GDPR: users and customers have to explicitly consent to give their data to businesses, by making a specific, informed and unambiguous statement or action. This means a new stage has to be built into every interaction with a customer or client, including website visitors. Vendor management is another area to revise - under GDPR, a business is liable for the actions of its data processors, so contracts with (for instance) advertising or web hosting services will have to explicitly state what data will be collected and retained, for how long, and what for.
  • Data transfer procedures - US companies will be able to transfer EU data to third countries or organisations, provided they secure an adequacy designation. These designations are binding in all EU member states, so one designation will serve across the EU. The EU also recognises some countries as providing adequate data protection, allowing personal data to flow to those countries without any further safeguard being necessary. Businesses may also have to ensure their data can be shared with data subjects or transferred to different controllers upon request, without compatibility issues.
  • Breach notification systems - In the event of violation of personal data freedoms and rights, GDPR demands that data processors notify data controllers without delay. In turn, data controllers must notify their country’s supervisory authority within 72 hours. Businesses which outsource data processing to other companies will need to ensure they have an efficient channel of communication for reporting incidents. All businesses will need an efficient system for recording, describing and reporting breaches to the European Data Protection Supervisor.

Don’t forget the website

That’s the message from Matt O’Neill, Atlantic Leap partner and GM, Europe for our client, The Media Trust: “While everyone is scrambling to categorize their data and map its use in their environments they are frequently overlooking a critical element: the business website,” he explains.

“The interactive and engaging functionality people expect is delivered by third-party vendors, and these vendors can comprise more than 75% of executing website code. Not only is this code not owned and operated by the enterprise, but it is also not readily visible because it executes on the browser.”

This functionality comes at a cost. Each third-party vendor represents an access point that could be compromised and serve malware, redirect visitors to another website, or, secretly collect website visitor (first-party) data. This is a problem. How can you comply with GDPR mandates if you don't even know what a vendor is executing let alone know that they are collecting visitor data?

“To properly evaluate risk exposure, website owners and operators need a holistic view of the technologies running on the site and what they are doing,” says O’Neill. “First, businesses need to identify, analyze and document all third-party vendors executing on consumer-facing websites. Second, they need to evaluate all data tracking activity for compliance with GDPR.” Considering the dynamic nature of personalized website content delivery, this is no easy task.

Continuous deep scanning of your website from the user point of view is required in order to surface all executing code and technology. The ability to demonstrate control over your website's ever-changing composition is critical to mitigating -- possibly avoiding -- penalties when you or your partners are found to be in breach of compliance.

The good news

Although GDPR means a great deal of work for US businesses operating in the EU, there is an upside. The GDPR will apply across the EU, meaning that transfer procedures, breach notification systems and data protection policies can be standardised across EU member states. The work involved in meeting GDPR will not only improve data protection and grant confidence to European clients and customers; it will ultimately streamline the process of data processing across the European economic sector.

That said, there are fourteen months to go. Planning and action need to start now. Businesses need to know how much data they’re processing, and how much their customers know. All customer interactions that result in data collection - phone calls, website visits, mailing list sign-ups - will need to include an opportunity for clear and informed consent by the customer. Existing data will need to be handled too, perhaps by giving existing customers and contacts a chance to review what’s being held and re-consent.

 

Photo credits:

Featured image via adobestock/Sergey

Flags via adobestock/Gina Sanders