GDPR affects any company with European Customers. This could mean any company with a website in which form data is stored from customers that may or may not be european, or even just anonymous analytical tracking data. As yet a consistent and legally acceptable response to the new law’s rather broad, vague and quite frankly impossible requirements has as yet to be defined, still, it’s better safe than sorry. So…
Here is the actual legislation: Click here for raft of legalese
I do not recommend you read it…
The legislation boils down to, providing a legal justification for the processing of personal data, what you do with that information and where that information is being stored.
This applies only to digitally stored data about people and not personal data storage e.g., non-business, personal data storage, or printed data.
Fortunately, while the GDPR purports to apply to non-EU companies, it is highly doubtable whether EU authorities would try collect fines against US companies without an EU subsidiary or affiliate.
So, it’s moot for most US Firms. Still, if the company is doing any business with European people or businesses, then there could be, an issue. So, once again it’s a matter of being…
The legislation makes a distinction between the controller of information and the processor.
A controller is the person that makes use of the personal data, the processor is the entity that provides the necessary service and technology to acquire the information.
In example, let’s say you have a little site on WIX and that collects data from people filling out one of WIX’s standard forms. In this case WIX is the processor and your client is the controller.
You are responsible for what you do with the information submitted by the form and WIX is responsible for making sure that data is properly handled when it is collected.
Now, this sounds all well and good until you get in the real world where there are organizations that routinely acquire information by scraping data from your contacts (e.g. Facebook) and then selling that data to the Chinese government’s intelligence apparatus as well as hundreds of other companies, agencies, political groups, etc., etc., etc.,
As a controller, you would be responsible for your end of securing the personal data of those who have filled out that contact form. Whether that extends to knowing that Facebook is routinely scraping and monetizing your email contacts is unknown at this point and taking efforts to ensure that it secure from their clutches is another matter. All I know is that moment I found out they had managed to scrape my email contacts from my phone in spite of my never having used Messenger was the day I decided to remove myself from Facebook.
Basically GDPR comes down to the following:
Parental consent is required for the collection, storage, and usage of personal data for anyone under 16 years old. Does this mean every single form now has to ask for the respondent’s age? Maybe… Who knows what lurks in the twisted minds of the EU’s Legislative body.
And what about that “right to be forgotten” does that include credit card payment processing information? How’s that gonna work?
Here’s a delightful scenario, what if you only do business in the USA, but your web site’s ISP has servers located in Europe and some money grubbing legal firm overseas sets their sights on 4% of your company’s annual revenue?
And then there is the real White Whale of this legislation, Google/Facebook/Microsoft/( NSA… cough, cough) the triumvirate of personal data acquisition and dissemination for the deep state. Think they can put all put all of Han’s personal data back in the bottle after selling it out to the highest bidders a thousand times over?
No, I think not.
Anyway, in conclusion, my personal recommendations regarding websites and GDPR is as follows:
This last one is actually perfectly reasonable. Quite frankly, 1&5 are the only reasonable parts of this; #2 is busy work; #3 is absurd in an environment where commercial companies sell personal data; #4 is impractical and technically impossible given that personal data shared on the web is stored and shared throughout the moment it’s posted (especially if it’s embarrassing…) so if someone wants “those” Instagram pics removed, it just ain’t gonna happen.
Oh, and before you take my advice please consider the fact that I am NOT a lawyer proficient in international law, take all of what preceded with a healthy amount of skepticism of my legal acumen regarding the varied nuances thereof and consider consulting with an nice, expensive, international lawyer if you want real legal advice. Which probably won’t be much better since this poorly constructed, thoughtlessly implemented law contradicts one of the most fundamental physical laws of the universe.