I just received a Microsoft marketing email "Prepare for the General Data Protection Regulation" and it occurred to me that this might be the first time smaller U.S. businesses or organizations become aware of this new regulation. A distribution list like Microsoft, or Apple, could create a unified awareness in the U.S. of such a regulation more than newspapers or blog entries, television, or business journals. My experience is that many small U.S. entities are unaware of this far-reaching regulation and are unprepared for the impact to their business.
So welcome newcomers to the world of GDPR. I always open my blog entries on this topic the caveats that I am not "Certified" in "Data Protection" , nor am I a lawyer specializing in data protection or contracts. We at Vizzy Solutions and Dirty Data Girl operate as "data processors" in the GDPR classification system. Caveat aside, the Regulation Article 28 does make it a processor's responsibility to "assist the controller..." And it is at this moment exactly where my concern for smaller U.S. companies comes in. If you're asking yourself "What is a controller?" right now, that should indicate to you how far behind you are in being prepared to respond to this globally affecting regulation which becomes enforceable May 25, 2018.
If you offer goods and services to people within an EU country, you probably have electronically stored data on them ranging from Name and Address to other things you might not even be aware that you have. Because you have this data you are considered a "controller." "Processing" data includes "obtaining, disclosing, recording, holding, using, erasing or destroying personal information."
Now, your legitimate business interests are considered in the Regulations, so it's not a matter of it being a problem that you collect or use the data. It then becomes a matter of how the data is identified and handled.
And if you hold "a lot" of data on EU citizens (specifically) - -and you didn't know about GDPR -- you need to know that there are additional considerations and now would be a really good time to speak with an attorney who works with data privacy questions.
But for smaller organizations, GDPR's enforcement date is actually a great exercise in simply modernizing the way we collect, protect, and use data. Small businesses in EU countries -- from nurseries to Mom & Pop shops to dentists to restaurants -- have been preparing for two years. Small U.S. businesses can leverage the tools and information that organizations like the ICO It's about documenting where your data is, how it's secured so privacy is included in the design so that an Individual's rights are protected.
Larger companies in the U.S. have also been preparing for this date. You've probably received a rash of Privacy statement updates, you just didn't know the "why" behind it. Now you do. U.S. companies are pushing out their new cookie and Privacy Terms of Service ahead of this enforcement deadline.
The ICO, or the Information Commissioner's Office, is a UK regulator and data-protection watchdog. They've published a lot of tools along with guidance for small businesses in the UK. Even with Brexit, the UK has committed GDPR as law, so we've been educating ourselves by reading from their site. The protections of GDPR are not meant just as a "hassle" for businesses, but to protect an individual's rights with regards to how their data is used, whether or not they want to have it used, along with the right to challenge results from automated decision making and profiling.
This extraordinary set of regulations includes how to ask for consent with things like not using pre-ticked boxes, or asking people to positively opt in instead of having to opt out. But business needs are not disregarded. "Legitimate interests" can be your own interests, and include commercial interests, so it's not all about new paperwork flying everywhere. Still, at the heart is the fact that people's data belongs to them and disregarding a person's interest in privacy and the security of sometimes intimate information with sloppy data practices is no longer acceptable business behavior.
So even as GDPR is not part of U.S. law, it can affect U.S. business, but more importantly - it will affect U.S. consumers expectations about how they receive marketing information, how their data is used, and how their data is secured. For businesses, these are a good set of guidelines on how to manage the store of data we have about individuals.
p.s. From what I can find there's still no certifying authority within organizations like the ICO through which would flow an actual "Certifying body" for titles such as "Certified Data Protection Provider," or consultant, or ... whatever. However, those terms are showing up on google for services to businesses related to GDPR. I recommend following Froud on Fraud for some plain speaking on GDPR and GDPR certification. And he's a blast to read.