What is it?
The General Data Protection Regulation (GDPR) is a European law that will govern how companies (whether EU-based or not) use personal data. It replaces the existing law on use of personal data and went into force on 25 May 2018. Many aspects of the existing law will remain in place, including the data protection principles on which the legislation is based, restrictions on cross-border data transfers and obligations on data controllers. However, the GDPR also brings new challenges, including increased fines and extra obligations on both data controllers and data processors.
Side note: In the EU, personal data means almost anything that could identify a person, not just names, email addresses, addresses and phone numbers, but also device IDs, IP addresses and even some cookie data.
Does it apply to me?
Yes, if you: (a) offer goods or services to EU-based individuals (whether for payment or not); and/or (b) monitor the behaviour of EU-based individuals (including via cookies). This, importantly, may also capture companies providing B2B services to businesses based in the EU, such as hosted data services, data analytics platforms and outsourced business functions. In a nutshell, Europe wants to ensure that companies marketing to or interacting with EU consumers are more responsible in doing so. It is important to remember that the GDPR does not discriminate by sector, most companies with an online presence and any companies that process EU personal data will be impacted, regardless of sector. Ad Tech, Cloud and SaaS providers are likely to be hit particularly hard.
Ok, so what do I have to do?
It really depends on two things: your appetite for risk and your role in respect of the data involved. What do we mean by the latter? You can be a data controller in charge of deciding what happens to the data, in which case your obligations are numerous; or you can be a data processor or sub-processor being told by someone else what to do with that data, in which case you have fewer obligations than data controllers, but you cannot sit back and relax. Regardless of your role, you will need to:
- better inform your customers about what you do with their data;
- account for the data you process (e.g., by keeping clear records on what you do with data); and
- start putting privacy higher up your list, both at the inception of the product or service and throughout its lifecycle (including ensuring adequate security).
What happens if I don’t do it?
It depends what you classify as your worst-case scenario. It could be a breach of the law, like mishandling data or a data breach, in which case you are looking at reputational damage, business losses and fines of up to 20M Euros or 4% of worldwide annual turnover (whichever is greater). Or it could be delaying or losing out on an M&A transaction or an investment opportunity because you are not GDPR compliant. Each business, large or small, will face its own personal challenges with regard to GDPR.