EU, GDPR and you
Today, May 25 2018, marks the introduction of a new law in the EU regarding privacy of data. For most of my clients (primarily based in the USA and some in New Zealand and Canada), the EU seems an awfully long way away. At best, if you're in New York, it's a little over 7 hours flight time to London. Or, if you remember that Britain is, technically, not part of the EU anymore, it's about 7.5 hours from New York to Paris. Unfortunately, in internet time, it's a few seconds at most. And that's where, if you're not ready today, you could be leaving yourself wide open for legal action through your website's behavior.
The EU is tightening up on how and when companies collect, then store, then use private information. We agree that data protection is an extremely important topic, one which most companies fail to take anywhere near enough care over. Just Google data breach 2018 to see the woefully long list of high profile companies who have been hacked. However, we believe the EU has really over-stretched itself with this one. And the reason we believe, or at least part of the reason, is their previous data privacy attempt with the "Cookies Law". It was toothless and ineffective, hence, we believe, they've taken the knee-jerk reaction with GDPR.
So, realistically, what does GDPR mean to people and companies hours of flight time away from the EU. Firstly, that we all need to stop thinking in terms of distance and flight time. We are closer to our next door neighbor via the internet than we are physically. The EU is as much our next door neighbor in terms of the internet as our physical next door neighbor. That means, anything that goes on "over there" WILL affect us "over here". And GDPR WILL affect your business even if you have no EU clients. The EU has drafted GDPR so broadly that not physically conducting business with EU clients, or not having offices there does not put you in the clear.
From our reading, almost every business in the world will be touched in some small way by GDPR. That's why we spent 2 full days updating Privacy Policies on every client website and installing cookie popups to comply with the new law's requirements. Are we paranoid? Perhaps! Are we going as over-the-top as the EU? We don't think so. We believe our clients need any, and all, protections we can give them, hence our actions with their Privacy Policies.
How would a small Mom-and-Pop shop, say a local bakery, in the middle of America be affected by this law? They don't sell to the EU, they certainly aren't an international chain of bakeries. Fair question. Ever received an random job request with attached email? Or just any email? Has your website got analytics installed (if not it SHOULD and you should be reading those reports!)? What if that email, or one visit comes from an EU resident? Boom, GDPR has caught you. We said that the scope was broad, and here's how broad. The EU courts have ruled that an IP address (and we all have them) is deemed "personal data", even if you, like the vast majority of consumers, has a dynamic IP address (one which your internet provider changes from time to time). And, if you collected it (or rather your analytics collected it) GDPR applies.
Don't think GDPR is a huge issue. As we're writing this, the BBC is reporting a number of American news sites are unavailable to EU subscribers because of it. The law makers thought it was pretty important too, drafting a pretty large document. You can see the full GDPR law here. Warning, it'll undoubtedly send you to sleep! And, on the very day the law came into effect, Google and Facebook are immediately hit with lawsuits.
GDPR is a complicated and complex issue, and ignoring it, or trying to cobble together something without fully understanding it is a bad idea. Want more info? Have a look at this post - a beginner's guide to GDPR.