Ever heard of the General Data Protection Regulation? If not, go and read the Wiki. I’ll wait.
I can already hear what you’re thinking. “Grant, this doesn’t apply to me because my company is in the <insert non-EU country here>.” How do I know you’re thinking that? Because every single person with whom I’ve brought this up has had the same response. You might want to go back and re-read it.
Data Subject
There are three terms from the GDPR that you need to know. The first is Data Controller. This is any organization or individual that collects data from the Data Subject. If the Data Controller is located in the EU, then you’re subject to the new regulations. Yes, I know, this means you don’t have to worry. Hang on a second.
The second term is Data Processor. This is any organization or individual that processes data on behalf of the Data Controller. If the Data Processor is located in the EU, then you’re subject to these regulations. Hold on, this is the good bit.
The final term is Data Subject. The Data Subject is any individual that lives in the EU. Now, let’s reassess whether or not the GDPR applies to you. Do you have an email list that might include a subscriber from Italy? You’re subject to the GDPR. Have a customer in Germany? You’re subject to the GDPR. Do you have any personal identifying information for any individual from any country within the EU? Guess what, you are subject to the GDPR.
GDPR Penalties
I know the next thing you’re thinking. “So what. What’s the EU going to do, come after me?”
Depending on who you are, no, of course not. I believe that I can access the subscriber list to this blog (I never have, maybe something I should get on, but bear with me). If there’s anyone from the EU within it, then I’m subject to the GDPR. Now, am I worrying? Well, yes. Not because the paltry number of hits I get are going to make me a good target. No, I’m worried because the penalties are insane and you know, for a fact, that they’re going to be going after people & organizations.
The penalties are easy to understand. 20 million euros or 4% of your turnover. Turnover? Yeah, another word for revenue. Gross revenue. I for one don’t have 20 million euros laying about, let alone the funds to pay for a lawyer to fight these guys in court. Yet, they could come after me and the sad sums I possess (I think I have about 70 pounds in my wallet at the moment, yeah, no US dollars even though I live in the US).
Oh, wait, I forgot one part. 20 million euros or 4% of your revenue, whichever is greater.
Now, do I have the attention of you and your organization? You bet I do. You can either hire a very high priced legal team to go to Brussels (it’s lovely, I wonder what the EU pays, I could do data investigation for them… hmmmm….) to defend your organization in the international courts, or, you need to ensure that you’re compliant with these new regulations.
Conclusion
It’s not like we were running out of work to do. However, a whole new assessment just fell in our laps. My strongest possible suggestion to you is that you ensure your boss and theirs are well aware that this is coming. You should either assess whether or not you’re vulnerable, clean up your systems, or lawyer up. The GDPR is going to be a huge deal in the coming year. Get ready.
Wow. Thanks so much for the heads-up. As they say “ignorance of the law is no excuse”.
Of course, despite your attempt some will still sneer at the thought of international laws affecting them. Others will have contention with whether a small company could or would legitimately ever really be fined $20 million, and so on. You’ve done what you can to put folks on notice, having “led the horse to water”.
I wonder if the more chilling affect (in time) may be on service providers that we use (who for most folks hold the info of concern). Would be sad to see some of them go away because of this, whether due to their being hit without seeing it coming or some being worried enough about compliance or penalties to let it impact them in some significant way. (Then again, some will celebrate that those who failed to “worry about” the issues addressed by the GPDR were shut down.)
Only time will tell how all this shakes out, for better or worse.
Way too true. There’s just no way to know how this breaks down & what happens. However, if I were running a fair-sized business, I’d be on top of this in a big way. I do know that PASS is figuring out if we’re compliant with it or not and we’ll adjust as needed to make compliance.
Will happen the same the American FATCA affects American citizens across the globe. Some Belgian banks (I have dual nationality) threw my out because they did not want to deal with this..
Yeah, we could see some companies just not take EU customers, but I think that’ll be a minority.
Well, I hope you don’t remove us -EU citizens- from your subscriber list 😀
Good article and spot on!
Cheers!
[…] Grant Fritchey summarizes the rules: […]