By
Yaki Faitelson
CEO, Vardonis
INSIGHTS & PERSPECTIVES
Accepting currency of that country and having a domain suffix -- say a U.S. website that can be reached with a .nl from the Netherlands -- would certainly seal the case.
Who are likely U.S. candidates to fall under the GDPR’s territorial scope? U.S.-based hospitality, travel, software services and e-commerce companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.
For U.S. companies, EU-directed online marketing forms and interactions will have to be adjusted to obtain explicit consumer consent. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
For example, say a Chicago-based software company is looking to run a campaign in France and has set up a webpage to collect email addresses for a white paper. At the very least, the company will need a checkbox -- without a default “x” in it -- accompanied by clear language about what it will be doing with these email addresses. And it’s not allowable to ask the user to click on a link to a long “terms and conditions” document filled with legalese.
This can get more complicated when a customer signs up for a service or buys something. The vendor will need to obtain explicit permission for each type of processing done on the personal data (i.e., email promotions or sharing with third-party affiliates will have separate checkboxes).
Once the data is collected, U.S. companies will then have to protect it under the GDPR’s rules. For those that already follow existing data security standards (e.g., PCI DSS, ISO 27001, NIST), these new regulations should not be a burden.
However, the tough new GDPR 72-hour breach notification rule will certainly require IT departments to up their game.
When there’s a breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” then IT groups will need to analyze whether the exposed or affected EU personal data identifiers can cause “risk to the rights and freedoms” of EU data subjects.
The GDPR gives some leeway in weighing the risks, but a large exposure of email addresses, personal data that contains sensitive data related to medical or financial information or identifiers associated with children, would all require notification to an EU regulator or “supervising authority” within 72 hours.
Where there’s “high risk” to fundamental property and privacy rights -- typically, exposure of credit card numbers or account passwords -- then the data subjects themselves will also have to be notified.
There are still questions about how the EU will enforce these actions against U.S. and other multinational companies doing business over the Web. The EU is serious about a uniform data and privacy law for its market and has already changed the Web practices of major U.S. companies.
To get the attention of multinationals, the GDPR introduces significant fines. For not reporting a breach to a regulator within 72 hours, fines are in the first tier of penalties -- 2% of global revenue rather than the higher 4% that has received more press attention.
U.S. companies, especially those with a strong Web presence, should be paying attention and changing practices now and not waiting to become a headline two years down the road.
Consent, Breach Notification And Fines
18