GDPR compliance guide for online businesses outside of the European Union (Part 1 of 5)
Compliance is easier than you think and following data protection principles will help you build trust while bringing purpose to your sales, marketing, and operations functions.
You have to comply with the GDPR regardless of your location if you transact with EU residents. The GDPR applies equally to businesses of all sizes and compliance can be disproportionately costly to smaller businesses. We wrote this guide to relieve some of that burden and help you frame the activities to improve your business functions while you check the boxes on GDPR compliance.
This article is part 1 of 5 in our guide for online businesses outside of the European Union to comply with the GDPR. We will drill down into the key requirements and describe how you can use this compliance exercise as an opportunity to redefine your business functions.
If you're working on a non-profit COVID-19 project for social good, please write to firstname.lastname@example.org for pro bono EU representation services. The European Data Protection Board (EDPB) and the UK Information Commissioner's Office (ICO) have both issued guidance on data protection considerations to keep in mind during our response to this crisis. You can view the EDPB's statement here, the ICO's guidance for healthcare controllers here, and community groups here.
If you're reading this, you likely realize that the General Data Protection Regulation (GDPR) requires data controllers and processors outside of the European Union (EU) to appoint a representative in the EU. More generally, you're likely wondering whether you've done enough to limit the financial and reputational risk to your business from non-compliance with the GDPR.
Whether you develop apps, run an e-commerce store, or conduct your business online another way, GDPR is probably not new to you as an acronym. Still, it's a regulation that only a handful appear to have under control.
We can safely assume online activity will continue to increase as a result of COVID-19, and we have already seen an uptick in cyberattacks by malicious actors looking to take advantage of this crisis and increased online activity. For those new to the world of online business, this guide can serve as a primer to data protection principles overhauled by the GDPR in 2018. For those already familiar with the GDPR, I hope you can still gain a fresh perspective to address areas you may have neglected in the past.
In this guide, we'll go through the GDPR rule text and additional guidance by EU authorities in the context of what the GDPR broadly aims to achieve. We'll also provide you with resources to not only comply with Article 27 but describe the steps you can take afterward to bring your compliance program under control while using it as a tool to improve your business processes.
In general, your requirements will be more complicated than what we can cover in this guide if you employ over 250 individuals or regularly process special categories of data (e.g., health). You can write to me or schedule time to discuss your specific situation in more detail.
Three steps to comply
Appoint your EU representative
You need to appoint an EU representative if you have a:
consumer application that is available for download in the EU,
business application where your users collect data from individuals in the EU,
e-commerce store open to the EU, or
website that collects analytics, email addresses, or other personal information from data subjects in the EU.
If you don't have an EU representative, we offer an instant service to help you comply with this requirement.
Implement data protection principles
At this point, all you have left to do is to provide a copy of your records of processing activities (ROPA) to your EU representative. Data protection authorities in the EU may request your ROPA at any time, so you must keep this information up-to-date.
You can think of the ROPA as an X-ray of the personal data processing conducted by your organization. In terms of the format and level of detail, we follow guidance from authorities such as the Information Commissioner's Office in the United Kingdom and Commission nationale de l'informatique et des libertés in France.
While these may appear to be nuisance "check-the-box" activities, it's an excellent opportunity to evaluate the purpose of your data processing and bring it in line with data protection principles. At the end of the day, what you do for sales, marketing, operations, and customer support can all be thought of as data processes. Businesses that design their data processes in light of data protection principles will be in a better position to be trusted by their customers. If approached correctly, you can use this compliance exercise to explore the intent of your data flows and improve your business functions.
While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.
If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations.