The EU’s General Data Protection Regulation (GDPR) impacts businesses worldwide, but here’s how your startup or small business might avoid being part of its scope.
The European Union’s General Data Protection Regulation (GDPR) is an overhaul of Europe’s data security rules. It gives EU citizens more transparency and control regarding personal data collected and processed by companies and other entities.
After a two-year transition period, GDPR goes into effect May 25, 2018. And while many EU companies are working hard to be compliant with the law ahead of the deadline, many U.S. and other non-EU companies are surprised to learn that they are subject to the regulations as well.
Read on to find out if your small business or organization should be freaked out by GDPR, or if you will be relieved to find you may be exempt.
Look, seriously: I’m not a lawyer, do your own research, all that. But I think this information will be helpful to you. GDPR applies to thousands of businesses that don’t even realize what it is, but there is also an important exception case that not being addressed much in the news.
The worldwide impact of GDPR
GDPR lays down a sweeping set of rules regarding the collection and handling of EU citizens’ personal data. Among other things, GDPR requires that EU citizens very explicitly consent to the collection and use of their personal data, and provides them an array of new powers over that personal data after it is collected.
For example, businesses must be ready and able to provide any user a digital copy of all their personal data. Businesses must also delete all of a user’s personal data upon request (formerly known as “the right to be forgotten”).
The costs of complying and not complying
GDPR is good for consumers in the EU, and consumers outside of the EU will incidentally reap some of the benefits as well. By and large, GDPR forces organizations to prioritize doing right by their users when it comes to their personal data.
However, as you can imagine, complying with these rules is not simple. Implementing new systems and processes, coordinating compliance with vendors, etc. in order to be compliance takes a lot of work.
But there is strong motivation to comply. If you are discovered to be in violation, you are subject to legal warnings and then hefty fines: potentially over $20 million dollars or 4% of the business you did in the previous year, whichever is greater.
Which is why businesses—particularly those that are late to realize that GDPR applies to them—are scrambling to comply.
Surprise, this EU law might apply to you, too
It’s an EU regulation, but it affects the whole world.
GDPR doesn’t apply only to EU-based organizations, or multinational corporations that happen to have a presence in the EU. GDPR applies to people and organizations anywhere in the world that collect, store, or process the personal data of anyone in the EU.
It doesn’t matter if you are a free service or a paid service. It doesn’t matter if you don’t share data with other organizations or not. It doesn’t matter if you are a huge corporation or a tiny entity. It doesn’t matter if you only collect a little bit of personal data—like email addresses for your marketing mail list.
You might be surprised to find out that YOU collect personal data
You may think, “I don’t collect, store, or process personal data. GDPR couldn’t possibly apply to me!”
But under GDPR, “personal data” has a broad definition. It’s not just things like usernames and email addresses and social security numbers. It also includes things like IP addresses and cookie data that could be used to indirectly identify an individual.
So, if you’re doing something as normal as using Google Analytics on your humble website, then in the eyes of GDPR you’re a “data controller”, and Google is your “data processor”. Both data controllers and data processors have responsibility under GDPR.
And if your humble site can be visited by people in the EU (it can), you’re subject to GDPR.
Why GDPR might not apply to you
In a Dec. 2017 Forbes.com article, guest author Yaki Faitelson points out an exception to GDPR’s extended scope. This exception is very important to small companies who don’t have a physical presence in any EU country and don’t intentionally market goods or services to the EU:
The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
This is an important but not-often-repeated exception. Almost every article I read on the subject of GDPR simply pointed out that you must comply with GDPR if you have collected personal data from even one person in the EU.
In fact, after finding essentially zero corroboration, I began to doubt Mr. Faitelson’s interpretation of GDPR’s coverage, and started to wonder if it was dangerous advice that should that I should warn readers to ignore.
But after relentless digging on your behalf, I did eventually locate the GDPR language and interpretation that backs this up.
About this exception…
In short, in the official text of the regulation:
- Article 3 indicates that GDPR applies to entities outside of the EU using personal data of persons inside the EU when related to: “a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
- Recital 23 (at the top of the regulation document) elaborates that there needs to be some intent of offering goods or services to people or businesses in the EU for GDPR to apply. Some attributes and actions do not indicate intent, and some attributes and actions would be sufficient to conclude intent.
If your business is completely outside the EU, and you’re not in the business of collecting data to track, predict, or monitor users’ behavior, then that just leaves the part about “offering of goods or services”.
In that case, if you’re not actually marketing your goods or services to people in the EU, then you’re not subject to GDPR, even if people in the EU might come across and engage with your website or application or mailing list.
From the “Who Must Comply” page at GDPREU.org:
[Recital 23] therefore provides a safe harbor to firms that do not market goods or services to the EU, by calling out that they do not need to undertake potentially expensive processes to block EU IP addresses from accessing their websites or reject emails sent by EU mail servers.
Of course, whether or not you’re intending to market to EU citizens is open to legal interpretation. The GDPR text itself offers some ideas as to what would cross the line and what wouldn’t. GDPREU.org offers some additional insight and interpretation.
(Note, it looks to me like the GDPREU.org information was the source for the aforementioned Forbes article’s conclusion.)
DOs and DON’Ts for NOT marketing to the EU
Let’s say you’re not planning on complying with GDPR at this time, because you are legitimately not targeting the EU for your business. It needs to be apparent that you’re not actually marketing to the EU.
Here are some examples where you’d be in the clear and where you could get into trouble:
Okay: You are an American company with just one “.com” website written in English. This is okay, even though English is spoken in the EU, and even though EU residents might happen upon your site or wind up in your mailing list.
Not okay: Your company has one or more specialized sites related to an EU country, e.g. a website with an “.fr” extension with text in French.
Not okay: Your company has marketing materials that mention the EU as actual or potential customers.
Not okay: Your company has marketing materials in a language that is particular an EU member state, e.g. Bulgarian.
Not okay: Your service lists prices in a currency specific to EU countries, e.g. Euros or British pounds (the U.K. is still in the EU for now).
Not okay: Your company actually has a physical presence in the EU.
When it comes to mobile apps, I strongly suspect that limiting the display language is not enough to avoid being subject to GDPR. Both the iOS and Google Play app stores let you modify the countries where your app will be available. I presume you’d need to remove all of the EU member states (and also the EFTA States of Iceland, Lichtenstein, and Norway) from the list.
Learn about how BetaTesting can help your company launch better products with our beta testing platform and huge community of global testers.