We heard a lot this year about the impact of GDPR for businesses in the EU. But what are the stakes beyond Europe? Does GDPR have borders?
GDPR: is my business impacted?
When it came into power, GDPR (General Data Protection Regulation) defined solid principles to protect European citizens’ personal data, and established requirements for companies that operate in the EU and beyond. Basically, the regulation protects data of all European residents! If your company provides services to these citizens, it must follow the GDPR.
GDPR Article section 2
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
Source: GDPR via gdpr-info.eu
GDPR outside of Europe: caught between obligations and pragmatism
Theoretically, addressing European visitors (via targeted campaigns, sites for residents of Europe or even specific offers) means that you fall within the scope of GDPR… But this means that most advertisers around the world would, too! To determine if GDPR means things must change for you, you must thus measure your engagement with Europe. So what criteria and best practices must you know about to make sure that your data collection is legitimate and reasonable?
Do you deliver products in a country within the European zone or accept payment in Euros? Do your ads target European prospects? If you answered yes to either question, or if a large majority of your client base is in Europe, you are undoubtedly held to the regulation (and you probably already have a specialist in place to navigate it).
In your case, you should follow the regulation to the letter: obtain prior consent from users before collecting or exploiting their data, and make it simple for users to access, modify, or delete data. Remember to clearly state how long data will be stored, and delete no-longer-relevant data. Lastly, enlisting the help of a GDPR-specialised law firm is key!
Is your business primarily located outside the EU? In this case, update your user conditions so they’re clear and exhaustive. For example, you should list all partner (e.g. second-party data deals) and third-party services that you exchange data with ( webanalytics, Ad server, DSP…). Generally speaking, be as transparent as possible with your users!
In any event, each business is different and the challenges of personal data should be addressed with the help of appropriate legal and technical advice. Local legislation should be considered too, as this often complements or even contradicts GDPR! Broadly speaking, the implementation of GDPR is a unique opportunity to reconsider your own governance structure and to incorporate legal and ethical components that fit for your company. Take advantage of this chance to showcase your transparency and build trust with your clients!