FREE! Subscribe to News Fetch, THE daily wine industry briefing - Click Here


SPONSORED BY:
2019 Unified Wine and Grape Symposium
SPONSORED BY:

EU’s strict GDPR regs are a €20-million risk to your business. (Don’t say we didn’t warn you.

Reprinted from our March 28, 2018 News Fetch

Plus, here are a few links News Fetch has published since then:


IF You have visitors from the European Union, AND You save ANY personal information (including data in many cookies), THEN You must comply with the GDPR by this May 25 …

… OR Face fines of up to €20 million or 4 percent of your global revenues.

WTF is GDPR?

GDPR  is the EU’s General Data Protection Regulation which puts big sharp teeth into the protection of personal data.

 

Currently, Facebook, Amazon, Google,  and other companies large and small (undoubtedly yours as well) feel that they own the data collected about customers, website visitors and other sources like emails.

 

GDPR turns that on its head and mandates that the user owns their data.

 

This means any personal data whether from:

 

  • website visitors (tracking cookies),
  • subscribers to blogs, podcasts, news releases,
  • people who receive emails (especially from services like MailChimp),
  • click on web ads (like those served up by ad services like DoubleClick).

And because the user owns their data, it means that companies must ask permission before gathering and ask permission before using.

What are you going to have to do?

Screen Shot 2018-03-27 at 3.15.59 PM

This excerpt from HIPAA Journal lays it out:

 

The rights afforded to EU citizens and the major GDPR requirements for US companies include:

 

  • Ensuring data is only collected when there is a legal and lawful reason for doing so.

 

  • Obtaining consent before personal data is collected, stored, or processed.

 

  • Obtaining consent from parents or legal guardians before children’s data is collected or processed.

 

  • Implementing controls to ensure the confidentiality of data is safeguarded.

 

  • Training employees on the correct handling of personal data.

 

  • Ensuring EU citizens’ right to be forgotten can be honored and that it is possible to permanently erase all collected data.

 

  • Ensuring EU citizens are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA.

 

  • Making sure data transfers across borders occurs in accordance with GDPR regulations.

 

  • Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data.

 

  • It may also be necessary for organizations to appoint a Data Protection Officer. That individual must have a thorough understanding of GDPR requirements for US companies as well as the infrastructure and organization of their company

 

Google’s taking GDPR seriously … but their changes may not be enough

Google — which owns DoubleClick and serves more ads via AdWord than any other company in the solar system announced last week that  it was making “Changes to our ad policies to comply with the GDPR.”

 

However, this article from PageFair (affiliated with Adobe) cautioned that the approach was only a partial compliance.

 

Screen Shot 2018-03-27 at 2.54.08 PM

Right-click graphic to view a larger image.

Thanks to GDPR, Facebook’s problem is now YOUR problem — only more immediate

While the U.S. Federal Trade Commission and Congress do their usual dithering about what to do about Facebook, the EU started working on this three years ago and have redefined ownership of personal data.

 

Facebook will spin and dance, apologize, agonize and sanitize things in the U.S. a bit over the coming months … maybe years. But when it comes to the EU, the big teeth will start to bite, and bite often.

 

Obviously, the more EU web visitors and customers you have, and the more data you collect, the bigger the bulls-eye painted on your business.

What can the EU actually do to you?

This article (GDPR Compliance Requirements and Implications for US Companies) tackles that issue:

 

“[C]an the European Union impose a fine or penalty on a US or otherwise external organization?

 

“The simple answer is yes, although the extent of the penalty and how it is enforced will be dependent on many factors, such as:

 

  • local due process
  • current unilateral trade agreements
  • whether you are exclusively based in the US or have an EU presence
  • or whether you have a presence in a country outside of the EU, but which has strong ties to the EU through trade agreements

 

“But yes, the simplest way for the EU to impose a fine or penalty on a non EU-based company is to use local data protection regulations.

 

“Increasingly, GDPR is being seen as the standard model for other countries, so you may find yourself subject to local rules based on GDPR compliance principals that impose even greater restrictions and penalties. In other countries, the primary route for ensuring compliance and enforcement will come from the Data Protection Authority.”

 

It is not out of the question that the U.S. or some of its more activist states like California might pattern a set of laws after GDPR.

 

This article: GDPR: How is it Different from U.S. Law & Why this Matters? offers deeper insights on possible issues and consequences.

 

What Does GDPR Mean for Marketing?

Screen Shot 2018-03-27 at 3.50.24 PM

Right-click graphic to view a larger image.

This article from Hubspot examines how marketing and sales have to back off on “Big Data Targeting.”

Two more articles of note