GDPR affects any company with European Customers. This could mean any company with a website in which form data is stored from customers that may or may not be european, or even just anonymous analytical tracking data. As yet a consistent and legally acceptable response to the new law’s rather broad, vague and quite frankly impossible requirements has as yet to be defined, still, it’s better safe than sorry. So…

Here is the actual legislation: Click here for raft of legalese

I do not recommend you read it…

The legislation boils down to, providing a legal justification for the processing of personal data, what you do with that information and where that information is being stored.

This applies only to digitally stored data about people and not personal data storage e.g., non-business, personal data storage, or printed data.

Now get this >>>

  • For less severe breaches, the maximum fine is €10 million or two percent of a company’s annual revenue, whichever is greater.
  • For more severe breaches, the maximum fine is €20 million or four percent of a company’s annual revenue, whichever is greater.

Fortunately, while the GDPR purports to apply to non-EU companies, it is highly doubtable whether EU authorities would try collect fines against US companies without an EU subsidiary or affiliate.

So, it’s moot for most US Firms. Still, if the company is doing any business with European people or businesses, then there could be, an issue. So, once again it’s a matter of being…

Better safe than sorry.

The legislation makes a distinction between the controller of information and the processor.

A controller is the person that makes use of the personal data, the processor is the entity that provides the necessary service and technology to acquire the information.

In example, let’s say you have a little site on WIX and that collects data from people filling out one of WIX’s standard forms.  In this case WIX is the processor and your client is the controller.

You are responsible for what you do with the information submitted by the form and WIX is responsible for making sure that data is properly handled when it is collected.

Now, this sounds all well and good until you get in the real world where there are organizations that routinely acquire information by scraping data from your contacts (e.g. Facebook) and then selling that data to the Chinese government’s intelligence apparatus as well as hundreds of other companies, agencies, political groups, etc., etc., etc.,

As a controller, you would be responsible for your end of securing the personal data of those who have filled out that contact form. Whether that extends to knowing that Facebook is routinely scraping and monetizing your email contacts is unknown at this point and taking efforts to ensure that it secure from their clutches is another matter. All I know is that moment I found out they had managed to scrape my email contacts from my phone in spite of my never having used Messenger was the day I decided to remove myself from Facebook.

Now the bad news…

Basically GDPR comes down to the following:

  • You need to secure your customer data e.g., have SSL on your site, keep the data on a secured server with adequate password protection, etc.
  • You need to obtain consent from an individual before collecting their personal data.
  • The individual from whom you are collecting data has the right to request that the information you have collected be removed.
  • The data you collect must be stored in a manner that does not allow it to proliferate throughout an organization, so that should someone request it’s remove it can be effected without difficulty.
  • You need to keep a personal data audit policy, basically a simple flow chart of where and how the personal data is stored.
  • You have to inform people when their information has been breached.

But wait… THERE’S MORE…

Parental consent is required for the collection, storage, and usage of personal data for anyone under 16 years old. Does this mean every single form now has to ask for the respondent’s age? Maybe… Who knows what lurks in the twisted minds of the EU’s Legislative body.

And what about that “right to be forgotten” does that include credit card payment processing information? How’s that gonna work?

Here’s a delightful scenario, what if you only do business in the USA, but your web site’s ISP has servers located in Europe and some money grubbing legal firm overseas sets their sights on 4% of your company’s annual revenue?

And then there is the real White Whale of this legislation, Google/Facebook/Microsoft/( NSA… cough, cough) the triumvirate of personal data acquisition and dissemination for the deep state. Think they can put all put all of Han’s personal data back in the bottle after selling it out to the highest bidders a thousand times over?

No, I think not.

Anyway, in conclusion, my personal recommendations regarding websites and GDPR is as follows:

  1. Set up SSL and make sure you website date is secure, especially if you are getting data from people.
  2. On forms that request personal information e.g., a name, put a check box with some such verbiage as to what you are going to do with it, fill it out with the following gobbly goop. GDPR Form RequirementsMore info on said gobbledygook here.
  3. Store personal data in a limited number of places and keep them secure then write down where that is… Congratulations you have a audit trail for personal information. Yeah…
  4. If someone requests they be removed from a list, remove them. If it’s on a credit card, or payment agreement, or legally binding contract. Well, honestly, I have no idea how on earth this bullshit is enforceable or even makes sense, but hey… It’s gonna be fun to watch what the EU tries to extort billions out of Facebook.
  5. If you get hacked, and they get access to personal data, let the people know, right away.

This last one is actually perfectly reasonable. Quite frankly, 1&5 are the only reasonable parts of this; #2 is busy work; #3 is absurd in an environment where commercial companies sell personal data; #4 is impractical and technically impossible given that personal data shared on the web is stored and shared throughout the moment it’s posted (especially if it’s embarrassing…) so if someone wants “those” Instagram pics removed, it just ain’t gonna happen.

Oh, and before you take my advice please consider the fact that I am NOT a lawyer proficient in international law, take all of what preceded with a healthy amount of skepticism of my legal acumen regarding the varied nuances thereof and consider consulting with an nice, expensive, international lawyer if you want real legal advice. Which probably won’t be much better since this poorly constructed, thoughtlessly implemented law contradicts one of the most fundamental physical laws of the universe.

The internet is forever…

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.