Chris Craig, here. As you know, I like to keep friends and colleagues abreast of the latest and greatest in the world of non-profit entities and related organizations. Today I am providing a very brief note about a change that will affect many US-based entities starting tomorrow: the implementation of the European Union (EU) General Data Protection Regulation (GDPR). These new rules are designed to enable EU-based individuals to better control their personal data. Below is SUMMARY ONLY, and not a deep dive into the rules, requirements or otherwise, and is not legal advice. As I note below, if you have specific inquiries I strongly urge you to consult counsel.
Under the GDPR, if you collect personal data or behavioural information from someone in an EU country, you are subject to the requirements of the GDPR. The law only applies if the consumer or user is in the EU when the data is collected. In addition, a financial transaction doesn't have to take place for the extended scope of the law to kick in. If the organization collects "personal data" (personally identifiable information or PII) as part of a marketing survey, then the data would have to be protected GDPR-style. The rules would apply, therefore, to a U.S. company with no physical presence in an EU country that collects personal data belonging to an EU user over the internet. However, such collection would have to target a user in an EU country. Say, for example, the outreach is written in the native language of an EU user. Other transactions such as accepting payment would also tip the balance in favour of coverage. Generic marketing doesn't count.
Features of the new policy include requiring users to opt IN before collecting data, rather than opting out; requiring notification, within 72 hours, of any data breach; providing users with the right to have their data permanently removed (Right to be Forgotten). This is list not exhaustive.
Among practitioners, it is believe that there are several reasons to becoming compliant, even if you don't think you are subject to the GDPR regulations. Such reasons include, but are not limited to:
- It protects the entity against risk that the entity is in fact holding data subject to the GDPR and does not know it.
- It is, theoretically, more secure.
- Some suggest that it is a "best practice" in that properly handling personal data instils trust and helps to prevent costly data breaches.
- It prepares the entity for the potential future of data collection if the EU standard migrates outside the EU to the US.
If you have any questions or require further information, please feel free to contact me.