Is Your Business GDPR Compliant? Websites: A Source of Liability Without Proper Policies in Place

01.14.19

Have you noticed lately how many websites have sent you an email or requested you agree to their new, updated privacy policy or terms of service? This is due to a new EU regulation that was passed in May of 2018 called the General Data Protection Regulation (GDPR) that requires businesses to implement safeguards to prevent against data breaches. The GDPR affects any business that collects or processes EU resident information regardless of whether the collection or processing of this data is intentional.

Regulated EU information includes: 

• Basic identity information such as name, address and ID numbers; 
• Web data such as location, IP address, cookie data and RFID tags; 
• Health and genetic data; 
• Biometric data;
• Racial or ethnic data; 
• Political opinions; or 
• Sexual orientation.

Why should U.S. business owners care about EU regulations? The GDPR requires active consent to collect data from EU residents and because the Internet is a global place, no business is safe from inadvertently collecting this data. More importantly, the regulation comes with a steep penalty up to 10,000,000 euros for failure to abide by notification requirements (see below for more information) and up to 20,000,000 euros for non-compliance with basic data processing principals. 

Even if a business believes it is GDPR compliant, it can still be held liable for data breaches or the mishandling of EU resident information in the following situations: 

• transfers to and from third-parties or international countries; 
• transfers made by those third-parties or international countries to another entity or country; 
• contracted processors, transfers to and from, as well as third-parties that process your data for you; 
• data collection on mobile devices; and 
• collection and processing of employee data (Employees should be given a data privacy notice, which explains what data will be stored and for what purpose. The GDPR does not presuppose consent is given by employees); and 
• undisclosed breaches.

If a breach of EU resident information ever occurs, there is a mandatory 72-hour notification window in which the data controller, from the time it’s aware of the data breach, must alert authorities. If the breach is high-risk, the data controller must also alert the specific individual(s) affected. If the breach occurs at the processing level, the processor is responsible for alerting the controller so that it can abide by the notification requirements. 

So, what can you do to make sure your business is compliant? It’s optimal for businesses to update contracts with third-party partners that may be accessing, collecting, or processing such data on the business’ behalf. More importantly, if your website collects data either through online purchases or a contact form, you should update or implement a privacy policy and terms of use. A strong privacy policy and terms of use will help your business avoid liability for data breaches and should require, with the help of your web developer, all website visitors to actively accept data collection. The GDPR recommends implementing a privacy policy that is concise, transparent, intelligible, easily accessible, and written in plain language. Having an attorney draft these policies ensures they are customized to your specific business and, as a result, are most protective. Updating or drafting these policies for the first time is simple and affordable, which, when compared with the potential fines, makes protecting your business a smart and easy decision. 

• Internet