The first 911 email I received about the GDPR was from a fellow writer who had just read this post by Randy Ingermanson from his excellent blog at advancedfictionwriting.com. Randy’s article is worth a read, he gives some excellent tips on how you can comply with the rules. I won’t say Randy is wrong, but I think he – like so many others who have written on the topic – overstates the reach of the GDPR.
Gargling with Scope
Reading the full text of the GDPR is an exercise I can only recommend for policy geeks like myself or as relief from insomnia. That said there are some parts that bear out what Randy and others are saying. Consider for example this from Article Three, titled Territorial Scope.(emphasis is mine)
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
That paragraph and the one that follows it does say that the entity processing the data does not have to be in the European Union. How can that be? How can the European Parliament pass a law that affects companies that are completely outside its borders? Furthermore, how can this be enforced?
I’ll leave those questions for the pundits, politicians and international law wonks. I have no doubt that high-falluting attorneys have already rolled up the sleeves of their Brioni shirts and gotten to the business of sussing out cracks and crevices which can be used to challenge these rules for corporate clients. Consider though that any company can say hell no to these rules; all they have to do is never process certain kinds of data from anyone who is physically in the EU at the time of the transaction.
A different animal.
The GDPR is a regulation that says in effect if you want people in the EU to do business with your company, you will need to follow the GDPR rules on how you handle the data they provide. The issue then, is how do you know they are located in the EU. Without getting technical let’s assume it is possible to be fairly sure a user of your website is somewhere physically in the EU, but is fairly sure good enough? The GDPR provides stiff fines for violations (again we’ll leave the enforcement of those fines for the lawyers). Knowing that what you really need to do is refuse to let those in the EU do business with you, or even to interact with your web site at all. You need to put up some digital equivalent of a No Irish Need Apply sign, and you need a way to enforce it.
If it seems like it might be easier to make your web site compliant with the GDPR than to put a bouncer in place and hope no undesirables flash a bit of leg to get past, that’s because it is. The good news is that compliance may not be that big of a lift. The better news is that you may not have to worry about it.
A better mousetrap
To be fair to the Europeans, if all companies followed the provisions of these rules the internet would be a better place for everyone, not only for those in the EU. It boils down to an endearing philosophy. Keep customer data secure, inform users of any breaches, and make the communications you use in marketing as clear as you can.
Briefly here are the provisions of the GDPR that might affect you.
- No Spam – This broadens the definition of what spam is to include companies you do business with.
- Contact Form Changes. If you have a contact form (who doesn’t), or any others form which asks the user to enter personal data, the form must now include a box that the user will need to check to state that they agree to the terms of your site. Another box must also be provided which the user must check if they agree to further communications. If you will be contacting them in multiple ways, such as via email and text there must be a box for each. All of these checkboxes must be unchecked by default.
- Data Handling – All data for customers in the EU must be stored on servers in the EU and must be stored in an encrypted environment. This provision might be the most difficult for many website owners because it could involve switching web hosts.
My website is built using WordPress, in fact, all my websites are, so are many thousands o others. Your’s might be as well. If it is the news gets even better. WordPress made some changes to its software which help you deal with the data retention rules. WordPress plugins, which make the software do things it doesn’t normally do such as web forms, have jumped on the GDPR hay wagon too. if you are not on WordPress no reason to panic. many websites are on one of the many platforms that have done similar things to help you have a compliant web site.
Not For Everyone
I mentioned a few hundred words ago (seems like only yesterday) that I thought Randy overstated who is subject to these rules. I make this claim based on my thorough reading of the GDPR and other sources such as this piece in Forbes and this article at newsmediaalliance.com.
The Title of the Forbes article suggests that you will need to get busy, but a few paragraphs in it says that the company would only be subject to compliance requirements if it targets users in the EU. A user simply browsing to your site because you came up in Google does not put you n danger of a fine according to Yaki Faitelson who wrote that article.
The other article I linked gets into a bit more detail as to why you may not be subject to the law. First, it seems to back up that compliance is required.
“It is intended to cover any company, anywhere in the world, that either (1) offers “goods or services” to EU users or (2) “monitors the behavior” of EU data subjects.”;;
The paragraphs which follow this one draw the conclusion that you don’t need to worry unless you:
- Target people in EU member states. Recital 23 of the GDPR it says that “mere accessibility” of digital service from Europe is “insufficient” to confer EU jurisdiction over that service.
- Extensively track people in the EU. Again casual use of your site and the placement on a cookie on the users’ machine is not enough.
Getting compliant with the rules of the GDPR is not that difficult and it’s a good idea, but it may not be something you need to worry about, That said under no circumstance should you mistake anything I say for legal advice.