GDPR Compliance for Non-European Companies and Organisations
So you might have heard that GDPR ‘D-Day’ has happened: 25th May 2018.
If you’re reading this now, then the sky hasn’t fallen in and the panic that can only be compared to the Y2K bug has subsided. In fact, I think the Y2K bug caused more damage.
Whilst everyone in Europe was tripping over themselves to ‘implement GDPR’ and ‘be 100% GDPR compliant’ before the 25th May, the rest of the world is only starting to wake up to this.
This is not to say that the rest of the world doesn’t have privacy and data protection laws but given the increased media around GDPR, I have also seen an updating of many national privacy legislations to either meet the new standards GDPR is setting or to give individuals privacy rights for the first time.
Everything has been so European-focused (and believe me, there is a LOT of work to be done with European businesses alone) that I can’t help to wonder about my fellow business owners and compliance professionals back home. Back home being not Europe, would people there have any idea of what GDPR is? Given that the EU is such a big and strong trading partner for a lot of countries in the rest of the world, are they prepared for what’s to come?
I did an impromptu poll on my non-European friends to see if they knew anything about GDPR. The response was underwhelming. Some recognised it only because of the avalanche of emails from companies that are ‘updating their privacy policies’ and others ironically asked if it was the ‘Facebook thing’.
Le sigh.
What does GDPR mean for non-EU companies? GOTCHA!
Well if you don’t do business with the EU or target EU individuals in anyway, you’re safe.
But in this very globalised and complexly tethered world, it’s not so easy to clearly define this in non-EU companies. Having your website in a language that is used in the European Union can sometimes be enough to capture you in what it means to ‘target an EU individual’. (Practically speaking it doesn’t, but a strict reading of the text does provide for this interpretation).
Data Subject Access Requests
You know what the consumer revenge to the trillions of ‘we’ve updated our privacy policy’ and ‘we value your privacy, don’t leave us!’ emails are? Data Subject Access Requests (DSAR).
Don’t know what these are? Then you’re kind of f*cked. Pardon my French.
These little beauties are going to really trip up your ‘Privacy Office’ — said with air quotes because I see so many companies claiming to have these now in light of the GDPR.
Under the GDPR Data Subjects aka your customers, suppliers, employees and whoever else you process data on have the 6 very distinct rights. You might have heard of them already, particularly the right to be forgotten (real name: right to erasure). The other 5 rights are:
· Right to be informed
· Right to access
· Right to object
· Right to restrict
· Right to data portability
This means that at any time that the data subject wants to, they can ask you what information you have on them, get a copy of that information, tell you to stop sending them marketing emails, tell you to stop using their data and tell you to mass export their data to wherever they want.
And if you’re not prepared for that? Tough.
If you can’t do as the data subject requests, then those scary fines that everyone has been talking about will come find you because you’re in breach of the GDPR.
Of course there are exceptions but they’re pretty far and few in between so don’t rely on those as your standard response.
This is payback time for individuals. They’re taking their data back and they’re going to gleefully use these rights with reckless abandon.
I’ve seen it.
All the GDPR forums are lighting up with stories about how so-and-so company are spamming them with privacy policy updates and repermissioning campaigns and the comments are flooding in: “Hit ’em with a SAR and see how they like it!” followed by maniacal laughter emoji.
This. Is. Real.
Only around 40% of EU companies are prepared for GDPR which means only 40% will be ready to deal with this deluge of Data Subject Access Requests.
Guess how ready non-EU companies are in the face of GDPR? If my impromptu poll is anything to go by, I can say without a doubt that the non-EU companies will be LESS prepared if not, NOT prepared.
And yet the GDPR applies to non-EU companies too.
Supervisory Authority
On top of this, here’s another kicker: supervisory authorities.
So you know how they have factory assembly lines of robot arms creating robot arms so that there can be more robot arm factory assembly lines? That’s kind of like the EU. The EU was created by the Member States so that they can create more robot arms to carry out the functions of the robots. No, just kidding. But it is undeniable that the EU likes creating more bodies of governance for the sake of creating more bodies of governance. And the supervisory authorities are kind of like those.
The main aim of the GDPR is to harmonise all the data protection and privacy laws across EU Member States so what it has also done is to make sure that each Privacy Commission changes its name to Data Protection Authority. That’s right, different privacy compliance authorities across all EU Member States are being dismantled so that the same one rises in its place but with the same powers and reach as each other.
In essence the GDPR has standardised data protection and privacy in the EU.
But hold up, what does this have to do with non-EU companies? I’m getting to that.
If you have no idea how the EU and institutions work because maybe you’re not a European company, then you’re going to have trouble liaising and responding to requests by Supervisory Authorities.
As a non-EU company who trades with the EU, I do imagine that you’re familiar with the basics but you don’t trade with the EU as a whole. You trade with individual Member States aka European countries.
So when a supervisory authority comes along to request to audit you or start an investigation, you may brush it aside as some elaborate phishing scam.
“Yeah right Mr. European Union President, I’ll let you look into my business and while you’re at it, here’s a cheque for $5 million for that fine ::winky face::”
Ignore at your own peril.
Article 27 — EU Representatives for Non-EU companies
And to add more bad news to the bad news pile, there’s Article 27 of the GDPR.
Somewhere buried in the 99 Articles of the GDPR is Article 27 that says non-EU companies shall designate in writing a representative in the Union.
Hear that?
Non-EU companies need a representative in the EU.
So thank your lucky stars Sandra from Accounting because you’re now going to be permanently based in the EU! You get a relocation package, you get a relocation package and YOU get a relocation package.
Or not.
Just like how lawyers and accountants can do things on behalf of companies, non-EU companies can appoint service firms as their point person in the EU. More accurately, they have to appoint an Article 27 Representative or risk breaching GDPR.
This representative is responsible for dealing with the supervisory authorities and the data subject access requests. That’s a two-birds with one stone situation if I ever saw one.
Appoint someone to take the proverbial heat and continue on your merry way doing what you do best: making it rain by selling your stuff to the EU.
The Ask
I’m reaching out to all my fellow non-EU dudes and dudettes. I’m looking at you home country Australia. I’m looking at you Canada, US, Latin America and Asia.
I want to tell you all about GDPR before you walk into that trap or get caught out. I want to help you respond to those data subject access requests and I want to help you talk to those supervisory authorities.
But mainly, I just want to know how ready non-EU companies are in dealing with GDPR.
So if you’re not based in the EU but do business with any of the countries in the EU, let’s have a chat.
I want ask you my impromptu poll questions and get a general view of how ready non-EU companies are.
Reach out and hit me with your best shot!
Disclaimer: I’ve taken some liberties with my analogies in order to really break it down for people to understand. Of course the GDPR is more complex than my overly simplistic examples. But if I’m to raise awareness I have to start somewhere. You don’t teach kids astrophysics on the first day of kindergarten and in turn you don’t blow up everyone’s mind by reciting the full text of the GDPR and take a legal stick to each article. That’s not helpful and its most certainly a turn off for those who are proactive and want to get ahead of GDPR. In short, I’ve taken off my legal hat and put on my business hat to break down the Regulation into easily understandable and business friendly terms. If you want a discussion on the finer legal points of Article 49’s Derogations, BCRS or SCCs or how GDPR interacts with national legislation, I’m game too.
