General Data Protection Regulation (GDPR) is the new data protection law that will take effect on May 25, 2018 in all 28 European Union (EU) countries.
So how does this impact your photography business based in the US or elsewhere outside of the EU?
These important changes may impact the services you use to collect and manage data you store about photography business clients or others who visit or interact with your website.
The GDPR requires your attention and may require action even if your users are not based in the European Economic Area (EEA).
Let’s say this as plainly as we can: where you are based, where your website is hosted, where your business is based, or even if you don’t sell anything either through your website or offline if you have traffic from a European country, the GDPR applies to the privacy data collected by your website. The General Data Protection Regulation (GDPR) is designed to clarify the rights of consumers and the standards for protecting consumer data. The GDPR details provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. However, the GDPR also regulates the exportation of personal data outside the EU – and this is the aspect that will impact business outside of the EU.
What types of data does the GDPR protect?
Personally Identifiable Information (PII) including: Name, address and ID numbers, location, IP address, cookie data and RFID tags, health and genetic data, Biometric data, Racial or ethnic data, Political opinions, and Sexual orientation.
What is important to know is that the GDPR takes a broad view of what is defined as personal identification information. For example, businesses will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address, and Social Security number.
Why does this matter for your photography business?
Businesses will be allowed to store and process personal data originating from the EU, only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” – these means double opt-ins are back! Personal data must also be portable from one company to another, and businesses must delete personal data upon request.
Even if you operate a business with less than 250 employees and do not have a business presence in the EU, you will still need to make sure that any entity that processes or stores data for you is in compliance with the GDPR.
Why? The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing or data storage partner. This could include: website host, email host, cloud, Software as Service applications and other computer programs you use in your business.
How does the GDPR affect third-party and customer contracts?
The limitations on data collection, use, and storage creates a set of potential liabilities associated with accumulation of data. The GDPR places equal liability on data controllers (the organization that owns the data – that’s your business) and data processors (outside organizations that help manage that data). Which means that if a third-party processor is not in compliance, then your business is not in compliance.
You will need to investigate how your vendors manage and secure data from EU based transactions to understand the risks they present. What this will likely mean is that all existing contracts with those third-party data processors (for example, cloud applications and platforms, SaaS vendors, or payroll service providers) and customers will need to be revised to spell out responsibilities for data collected in the EU.
Any revised contracts will also need to define consistent processes for how data is managed and protected, and how breaches are reported. The 72-hour reporting window that the GDPR requires makes it especially important that vendors know how to properly report a personal data breach to your business.
What happens if my business or my data processing vendors are not in compliance with the GDPR?
The GDPR details penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. At this stage there are still unanswered questions about how penalties will be assessed. For example, it is unclear how will fines differ for a breach that has minimal impact on individuals versus one where their exposed PII results in actual damage.
If there is a personal data breach, the GDPR requires that companies report personal data breaches within 72 hours to the supervisory authority of the country in which the EU citizens affected by the breach reside. How well businesses minimize the damage will directly affect the company’s risk of fines for the breach.
Tips for becoming compliant with GDPR
Under GDPR, businesses must be able to provide a “reasonable” level of data protection and privacy to EU citizens. The challenge is that what the GDPR means by “reasonable” is not well defined. Here are some general suggestions for achieving compliance with GDPR.
- Decide if you want to have EEA based visitors or EEA based subscribers. If you are not willing to risk engaging with the GDPR, you could speak with your website host and ask about blocking all EU based visitors to your website. Even putting this kind of measure in place is not foolproof, so you will still need to gauge your level of risk.
- Conduct a Risk Assessment:
- Inventory all platforms and tools you use that collect, process, or store data on your clients, customers, (and team members).
- Create a record of the data flow of Personally Identifiable Information (PII) into and out of the business.
- Review all platforms and tools you use to collect or store data – this could include website plugins, analytics tools (including Google analytics), social media platforms, cloud based storage, scheduling tools, ecommerce tools, Customer Relationship Management (CRM) platforms – and try to understand how they are seeking to comply with GDPR. If they aren’t – find another option.
- Some websites analytics tools are setting up the capacity to automatically delete user and event data that is older than the retention period you select. Find out what the ones you have installed are doing!
- Ask your attorney to review your existing third party vendor contracts for GDPR compliance.
- Limit collection of sensitive data – if you can do business without it, don’t ask for it.
- Inform current and future EU based customers of their rights under GDPR.
- Create a data protection plan:
- Don’t forget about mobile – consider limiting the installation of personal apps on work devices (computers, phones etc). If any of those apps access and store PII, they must do so in a GDPR-compliant manner.
- Talk to your insurer about data security insurance.
- Test Incident Response plans – make sure you would be in a position to report breaches within 24 hours.
- Set up a process for ongoing compliance monitoring.
Finally, don’t panic – this is not a time for throwing up your hands and saying that it’s all too complicated. It is a good exercise to make sure you understand how data is flowing in and out of your business. Start there – and then take the rest step by step.