as you may or may not know, towards the end of May next year, the so-called GDPR (General Data Protection Regulation) comes into effect in the EU.
However, it applies to ANYONE selling into the EU … and that includes pretty much all online/Internet marketers.
So, straight from their FAQ http://www.eugdpr.org/gdpr-faqs.html
the ‘scary’ one:
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Regarding the first part (the 4%): that applies to the entire company-structure.
So if you think: “not to worry, this one company that might be affected is only a small thing under my umbrella brand” … think again:
GLOBAL turnover of the ENTIRE company!
As you can see, they explicitly mention ‘not having sufficient customer consent to process data’.
Here’s where this gets scary:
look at the last paragraph I mentioned:
if you store customer information in e.g. Aweber, and they get hacked … YOU are responsible!
It is YOUR responsibility to CHECK up-front (and keep checking on a regular basis) that (in this example) Aweber are GDPR-compliant (they’re not, just checked, see below)
Now it gets even scarier:
even if you can prove that Aweber messed up and YOU checked in on them on a regular basis … it’s still the 4% of YOUR company that’s on the line (or €20 Million, whichever is the greatest).
You can then TRY to reclaim that from Aweber, but that’s YOUR job. YOU/YOUR company foots the bill to begin with.
in case you’re wondering: I attended a seminar on just that topic last Thursday, great presentation by a lawyer who specializes in just this thing.
The big take-away from this was:
obviously, the scary stuff from above.
But, probably more importantly:
Data Protection (at least for those selling into the EU) is now a PROCESS!
It’s an ongoing effort, and in order to be compliant, you will have to prove that you have systems in place!
If you don’t … that’ll be 2% or €20 Million … whichever is the greatest.
Just to scare you some more:
just had a chat with Aweber … and they think they’re safe because they US-EU Safe Harbour agreement (self-)certified.
They’re NOT safe:
(read the Price Waterhouse Cooper article at the top)
how’s that for a lighthearted start to the week?;-)
PS: if you’d like to sign up to my new “Drip”-list, you can do so here: