• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

Guest Blog: A GDPR Primer to Meet the Deadline Next Week

Published by Sabrina Pagnotta on May 23, 2018
Categories
  • Blog
Tags
  • Industry Regulation
gdpr-third-party-risk

Discussions on privacy laws have taken front and center in recent weeks as GDPR (General Data Protection Regulation) begins to be enforced by European Union (EU) member states on May 25, 2018.  As we have been discussing for a while, there is confusion as data collectors try to figure out the impact of this legislation.  There is no question that large, multi-national corporations will have to comply and many of these corporations are already in compliance.  However, with this deadline just around the corner, smaller companies that do not actively target EU residents are struggling with how this legislation impacts them.

Until all these laws are harmonized, the safest route for smaller companies may be to comply with GDPR, state, federal, local and industry regulations as much as possible. While the GDPR deadline is looming, it is worthwhile for smaller data collectors to consider the following aspects.

gdpr-third-party-risk

GDPR Overview

The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” (A guide to the EU GDPR can be found here.)

Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of the location of the data collector. The definition of personal data is broadened to the extent to include any information “that can be used to directly or indirectly identify the person.” Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

GDPR also imposes new obligations on how the data is to be handled and stored.  For example, EU residents will have a “right of access” that requires data collectors to provide specific details about how information is processed. GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request. The penalties for non-compliance may total anywhere from 4% of the annual global turnover of the breaching data collector or €20 Million (whichever is greater).

Should We be Concerned About GDPR Regulations?

We have been getting questions from our clients about how GDPR may impact them.  The knee-jerk reaction from many American companies appears to be to ignore GDPR if their business is not focused on EU residents. Admittedly, there are many questions concerning how GDPR regulations can be enforced on data collectors outside of the European Union. Of course, betting on the fact that the EU will not be able to broadly enforce these regulations is not the best strategy.

The consensus is that general marketing to customers that may include EU residents will not trigger an obligation under the GDPR. Rather, it appears at this time, that EU residents will need to be directly targeted for GDPR to apply to data collectors outside the United States. Commentators have provided the following analysis on this issue:

For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.

Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl  from the Netherlands — would certainly seal the case.

Even if GDPR compliance may not be a priority for smaller data collectors, it is still worthwhile at this time for data collectors to consider compliance for the following reasons:

– GDPR compliance is not costly. At this point, compliance may be adding a few new disclosures to their website.

– GDPR compliance has a positive impact for customers that trust you with their data. Even if large, multi-national corporations have the most at stake, working toward GDPR compliance will only make data safer.  Keeping data safe may result in more business and cutting losses related to a cyber incident.

– GDPR compliance puts you ahead of the pack. There is no doubt that the GDPR regulations are the most-strict and punitive we have seen to date.  However, GDPR compliance is only going to help data collectors comply with state, federal and industry standards that they may already be required to follow.  Further, if the GDPR is successful, data collectors can be certain the U.S. will adopt similar standards.

The Initial, Practical Approach To Compliance

Now that it is clear that GDPR compliance may be a concern even for data collectors that are not necessarily targeting EU residents, a discussion as to the potential for liability can be guided by the following points:

  1. Data Inventory. Data collectors need to first inventory the information and data that is being collected. A website that collects names and emails of visitors may gather EU resident’s data occasionally, but may not target the European Union for business.  A data collector cannot thoroughly access liability without taking stock of the origin of the collected data.
  2. Consent? While it is still early in the process of GDPR compliance, it is assumed that most data collectors will find there is a peripheral chance that data belonging to an EU resident will be collected.  This is the proper time to determine whether consent should be obtained from all individuals providing any data or information.  Consent does not have to be an elaborate policy that no one would want to read (we are looking at you Apple).  Rather, consent can be obtained through clear language without legalese.  From a practical standpoint, data collectors may want to use a website such as SecurePrivacy.AI, which has recently begun offering a free tool that scans websites for GDPR compliance
  3. Data/Privacy Officer. Reviewing GDPR compliance also provides an opportunity to consider whether a data/privacy officer should be appointed. This person will be responsible for handling data and information retention issues and would be a point of contact for anyone worried about how their data was gathered, used or retained.

The issues concerning GDPR are not new.  Data collectors have been struggling with compliance with federal, state, local and industry data collection requirements for years.  For example, an employer in Chicago, Illinois may hold information for its employees that are residents of Illinois, Wisconsin or Indiana.  This employer may have been trying to harmonize privacy regulations for years at this point.  Consequently, data collectors should use GDPR as another opportunity to access the safeguards they have in place to protect data.

Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT