Is Your Business GDPR Compliant? Websites: A Source of Liability Without Proper Policies in Place
Regulated EU information includes:
- Basic identity information such as name, address and ID numbers;
- Web data such as location, IP address, cookie data and RFID tags;
- Health and genetic data;
- Biometric data;
- Racial or ethnic data;
- Political opinions; or
- Sexual orientation.
Why should U.S. business owners care about EU regulations? The GDPR requires active consent to collect data from EU residents and because the Internet is a global place, no business is safe from inadvertently collecting this data. More importantly, the regulation comes with a steep penalty up to 10,000,000 euros for failure to abide by notification requirements (see below for more information) and up to 20,000,000 euros for non-compliance with basic data processing principals.
Even if a business believes it is GDPR compliant, it can still be held liable for data breaches or the mishandling of EU resident information in the following situations:
- transfers to and from third-parties or international countries;
- transfers made by those third-parties or international countries to another entity or country;
- contracted processors, transfers to and from, as well as third-parties that process your data for you;
- data collection on mobile devices; and
- collection and processing of employee data (Employees should be given a data privacy notice, which explains what data will be stored and for what purpose. The GDPR does not presuppose consent is given by employees); and
- undisclosed breaches.
If a breach of EU resident information ever occurs, there is a mandatory 72-hour notification window in which the data controller, from the time it’s aware of the data breach, must alert authorities. If the breach is high-risk, the data controller must also alert the specific individual(s) affected. If the breach occurs at the processing level, the processor is responsible for alerting the controller so that it can abide by the notification requirements.
DISCLAIMER: The information provided is for general informational purposes only. This post is not updated to account for changes in the law and should not be considered tax or legal advice. This article is not intended to create an attorney-client relationship. You should consult with legal and/or financial advisors for legal and tax advice tailored to your specific circumstances.